Temporal Logic - From Philosophy and Proof Theory to Artificial Intelligence and Quantum Computing [1 ed.] 9789811268533, 9789811268540, 9789811268557

Citation preview

TEMPORAL LOGIC From Philosophy and Proof Theory to Artificial Intelligence and Quantum Computing

World Scientific

This page intentionally left blank

TEMPORAL LOGIC From Philosophy and Proof Theory to Artificial Intelligence and Quantum Computing

Stefania Centrone Klaus Mainzer Technical University of Munich, Germany

World Scientific NEW JERSEY

•

LONDON

•

SINGAPORE

•

BEIJING

•

SHANGHAI

•

World TAIPEI Scientific CHENNAI TOKYO

HONG KONG

•

•

•

Published by World Scientific Publishing Co. Pte. Ltd. 5 Toh Tuck Link, Singapore 596224 USA office: 27 Warren Street, Suite 401-402, Hackensack, NJ 07601 UK office: 57 Shelton Street, Covent Garden, London WC2H 9HE

Library of Congress Control Number: 2023006260

British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library.

TEMPORAL LOGIC From Philosophy and Proof Theory to Artificial Intelligence and Quantum Computing Copyright © 2023 by World Scientific Publishing Co. Pte. Ltd. All rights reserved. This book, or parts thereof, may not be reproduced in any form or by any means, electronic or mechanical, including photocopying, recording or any information storage and retrieval system now known or to be invented, without written permission from the publisher.

For photocopying of material in this volume, please pay a copying fee through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA. In this case permission to photocopy is not required from the publisher.

ISBN 978-981-126-853-3 (hardcover) ISBN 978-981-126-854-0 (ebook for institutions) ISBN 978-981-126-855-7 (ebook for individuals) For any available supplementary material, please visit https://www.worldscientific.com/worldscibooks/10.1142/13205#t=suppl Desk Editors: Logeshwaran Arumugam/Rok Ting Tan Typeset by Stallion Press Email: [email protected] Printed in Singapore

Preface

Calculi of temporal logic are widely used in modern computer science. The temporal organization of information flowing in the different architectures of laptops, the Internet, or supercomputers would not be possible without appropriate temporal calculi. But the situation is similar to modern artificial intelligence (AI) and other digital technologies. In the age of digitalization and high-tech applications, people are often not aware or have forgotten that temporal logic is deeply rooted in the philosophy of modalities, which dates back to antique philosophers, such as Aristotle and Theophrast. At the dawn of the modern scientific era, Leibniz and others came up with the first ideas of formal calculi and machine-based decision procedures, which culminated in the proof theory of the 20th century, connected with names such as Hilbert, Gentzen, G¨odel, and Turing. The debates on mathematical foundations at that time underline the important role of constructive and intuitionistic procedures for proof theory, which are also convenient for computational algorithms in computer science. Becker and G¨ odel discovered a link between intuitionistic and modal logic. Automatic reasoning in modern AI and robotics would not be possible without the constructive methods of proof theory and mathematical logic. Therefore, a first goal of this book is to become aware of these roots in philosophy and proof theory (Section 1.1). A deep understanding of these roots opens avenues to the modern calculi of temporal logic, which have emerged by the extension of modal logic by temporal operators (Section 1.2). Chapter 2 is dedicated to the computational foundations of temporal logic in different calculi with v

vi

Temporal Logic: From Philosophy and Proof Theory

increasing complexity, such as basic modal logic (BML) (Section 2.1), linear-time temporal logic (LTL) (Section 2.2), computation tree logic (CTL) (Section 2.3), and full computation tree logic (CTL*) (Section 2.4). Chapter 3 highlights the proof-theoretical foundations of temporal logics. A fundamental role for proof-theoretical interpretations of the temporal calculi is played by the sequent calculus of Gentzen (Section 3.1). The tableau-based calculus (Section 3.2), automatabased calculus (Section 3.3), game-based calculus (Section 3.4), and dialogue-based calculus (Section 3.5) are more or less inspired by a Gentzen-style sequent calculus. They are applied as proof-theoretical interpretations to the calculi of the modal and temporal logics, which were introduced in Chapter 2. It is remarkable that these different interpretations of temporal logics have different advantages but also different disadvantages for different purposes, especially in computer science. Therefore, it makes sense to have these different approaches of proof theory to temporal logics. Chapter 4 provides an outlook on trend-setting applications of temporal logics in future technologies, such as AI and quantum technology. Modern machine learning is based on statistical learning theory and stochastic procedures, which need control policies for safety and security. At this point, formal tools of temporal calculi come in to certify AI programs, which are characterized by complex information flow in machine learning (Section 4.1). In quantum technology, quantum physics and computer science are growing together. Traditional temporal logics assume classical physics and its concept of time as self-evident. But we have to consider the different concepts of time in the different physical theories. They have been studied in different temporal logics of, for example, relativistic physics (Section 4.2). For quantum technologies, modal and temporal operators significantly depend on basic concepts such as quantum parallelism in quantum computers and entanglement in quantum communication (Section 4.3). Temporal logics are obviously deeply embedded in current digital technologies. Therefore, the chapter concludes with an outlook on the societal impact of temporal

Preface

vii

logic, which is needed to handle the increasing complexity in a computational, high-tech world of Big Data (Section 4.4). The book is written by the two authors with respect to their earlier and ongoing studies and complementary competence. Stefania Centrone wrote Sections 1.2 and 3.1. Klaus Mainzer wrote Sections 1.1, 2.1–2.4, 3.2–3.5, and 4.1–4.4.

This page intentionally left blank

About the Authors

Klaus Mainzer is Emeritus of Excellence at the Technical University of Munich (TUM) and senior professor at the Carl Friedrich von Weizs¨acker Center of the University of T¨ ubingen. After studies of mathematics, physics, and philosophy and a Heisenberg award at the University of M¨ unster, he was a professor of the foundations and history of exact sciences and vice president at the University of Constance, a professor of philosophy of science and the director of the Institute of Interdisciplinary Informatics at the University of Augsburg, and a professor of philosophy of science, the director of the Carl von Linde Academy, and the founding director of the Munich Center for Technology in Society (MCTS) at TUM. His principal research interests are in the constructive and computational foundations of mathematics, science, and philosophy, with a special focus on AI technology and its societal impact. Stefania Centrone is a Professor of Logic and Philosophy of Science at the Technical University of Munich (TUM). She studied philosophy at the University of Florence from 1994 to 1999 and got her PhD at the Scuola Normale Superiore, a university institution of higher education based in Pisa. In 2012, she got the German habilitation in philosophy at the University of Hamburg, where she also received her venia legendi in 2013. She holds the Italian habilitation for ordinary professorship in the logic, philosophy, and history of science. With the award of the Heisenberg position, Stefania Centrone has been recognized as belonging to the top 5% of researchers of excellence in Germany, according to the German Research Foundation (DFG). ix

This page intentionally left blank

Contents

Preface

v

About the Authors

ix

1.

Philosophical Roots of Temporal Logic

1

1.1 The Concept of Time . . . . . . . . . . . . . . . . . . 1.2 Toward Formal Systems of Temporal Logic . . . . . .

1 8

2.

Computational Foundations of Temporal Logic 2.1 2.2 2.3 2.4

3.

Basic Modal Logic . . . . . . Linear-Time Temporal Logic Computation Tree Logic . . Full Computation Tree Logic

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

27 . . . .

. . . .

. . . .

Proof-Theoretical Foundations of Temporal Logic 3.1 3.2 3.3 3.4 3.5

Gentzen Calculus and Temporal Logic . . . . . Tableaux-Based Calculus and Temporal Logic Automata-Based Calculus and Temporal Logic Game-Based Calculus and Temporal Logic . . Dialogue-Based Constructive Temporal Logic .

xi

. . . . .

. . . . .

. . . . .

29 32 36 41 45

. . . . .

46 67 77 84 95

xii

4.

Temporal Logic: From Philosophy and Proof Theory

Applications and Outlook of Temporal Logic 4.1 Temporal Logic in Artificial Intelligence and Machine Learning . . . . . . . . . . . . . . . 4.2 Temporal Logic in Relativistic Physics . . . 4.3 Temporal Logic in Quantum Computing . . 4.4 Societal Impact of Temporal Logic . . . . . .

. . . .

111 . . . .

. . . .

. . . .

. . . .

111 131 152 180

References

191

Index

201

Chapter 1

Philosophical Roots of Temporal Logic

1.1.

The Concept of Time

Pre-Socratic natural philosophers, such as Parmenides and Heraclitus, formulated basic questions of time that influence the discussion even today. Is the world, as Heraclitus believed,1 in constant becoming and time an irreversible process like the flow of a river? Or is every change, as Parmenides believed, only apparent and time a reversible parameter of an inherently unchanging world? Zeno’s famous paradox of the arrow of time illustrates the problem: “If everything that behaves in a uniform manner is either in constant rest or constant motion, but everything that moves is always in the now, then the flying arrow is without motion.” Thus, during the duration of a moment, an arrow in motion takes a route from which it does not move away during that moment. Also, in the next moment, it covers this distance, from which it does not move away during this moment. But how can it then move away at all, however small the distance between two moments may be?2 Mathematically, the criticism of Zeno’s paradox is simple if (as in modern physics) the flight distance of the arrow is understood as a real number continuum. Then, there is simply no “next” moment

1 2

Diels-Kranz (1960/1961). Ferber (1981). 1

2

Temporal Logic: From Philosophy and Proof Theory

because the points in the continuum are dense, so between two adjacent points, an intervening point can always be given (e.g., by halving the distance between them). Democritus’ atomic theory can be understood as a consequence of the Heraclitean doctrine of change and the Parmenidean principle of unchangeable being. While objects such as stones, plants, and animals are, according to Democritus, aggregates of atoms, which can change in time and combine into new atomic groupings, atoms and empty space are timeless, uncreated, and eternal. The task of physics, according to Aristotle, is to explain the principles and functions of diversity and change in nature. 1.1.1.

Aristotelean temporal logic

The general principle that makes an individual being, such as a stone, a plant, or an animal, what it is, Aristotle calls the form. That which is determined by the form is called matter. Form and matter, however, do not exist by themselves but are principles of nature obtained by abstractions. Matter is therefore also called the possibility (“potency”) of being formed. Only by the fact that matter is formed, reality arises. Movement is determined as change, as a transition from possibility to reality, or as “actualization of potency.” According to Aristotle, movement includes all goal-oriented processes in nature, such as the fall of a stone to the Earth, the growth of a tree from seed to final form, and the development of man from infant to adult. This offers the following solution to Zeno’s paradox of the arrow of time. In doing so, Aristotle criticizes Zeno’s definition of the present. The present, Aristotle argues, is no more part of time than a point is part of a distance. Rather, one must think of the present as a potential, non-actual cut in the time continuum that separates the future from the past. In that case, the present is not a point in time in which the arrow is actual but only a possibility. In fact, the arrow performs a continuous movement. Aristotle is the first philosopher to formulate the concept of continuum precisely. Time, he says, is continuously connected in the now. But time has no existence of its own. Real are only the movements of nature. The now of a moment is a cut in the continuum of movement. Since one can potentially make an unlimited number of

Philosophical Roots of Temporal Logic

3

cuts in the continuum, countably many moments result without ever being able to exhaust the continuum. “Time,” says Aristotle, “is not, however, motion, but what is countable about it.”3 As a measure of time, Aristotle proposes circular motion, against which other motions can be measured. The assumed spherical motions of the stars and planets are for him a reference system to measure, for example, hours, days, and years. The uniform circular motion is considered the basic measure of ancient and medieval astronomy. Against the background of his philosophy of time and continuum, Aristotle develops a logic of temporal modalities. Real is what is now realized (i.e., true) at the moment. Possible is what is realized (i.e., true) at a present or future time. Necessary is what is realized at the present and in any future time. Thus, the now-relativization is characteristic in his definition of modalities. While Stoic logic subscribes to this definition of the modalities of time, the Megaric school of philosophy uses the modalities of possibility and necessity even without now-relativization. Possible is what is realized at a certain time. Necessary is what is realized at any time. The Aristotelian analysis of the sentence “Tomorrow a sea battle will take place” became famous.4 It is already true that tomorrow a sea battle will take place or that tomorrow a sea battle will not take place. Does it not include that either it is already true that a naval battle will take place tomorrow, or that it is already true that a naval battle will not take place tomorrow? Does it not include, then, that whichever of the two statements (of which we do not yet know which) will be true tomorrow is already true today? In the symbolism of temporal logic, p denotes a state, such as “a naval battle is taking place.” The symbol N p is supposed to mean that the state denoted by p will take place tomorrow. As a time measure, for example, at noon, the highest position of the sun can be indicated. The symbol N ¬p then means that the negation ¬p of the state denoted by p takes place tomorrow, i.e., p does not take place. The symbol ∨ stands for the logical or-connection of two statements describing two states. Then, the symbol N (p ∨ ¬p) says

3 4

Aristotle (1956, p. 219b). Aristotle (1994, pp. 27–97).

4

Temporal Logic: From Philosophy and Proof Theory

that it is already true that the state described by p will exist or not exist tomorrow. But does it follow that, according to the Aristotelian problem, N p ∨ N ¬p, i.e., is it already true that the state denoted by p will exist tomorrow or that its negation ¬p will exist tomorrow? 1.1.2.

Linear and branching temporal logic

Modern logicians, such as G. H. von Wright, have shown that the answer to this question depends on the topology of time evolution on which we base the world. In a linear conception of time, the time segments (e.g., days) are arranged sequentially on a straight line. Each node in Fig. 1.1(a) stands for the overall state (i.e., a conjunction of many partial states) of the world at a given time interval. The filled node (•) stands for the now updated overall state. The subsequent nodes denote future overall states, and the previous ones denote past overall states. In this time model, the subsequent states are uniquely determined without alternative. Therefore, in this world, it is true now that a naval battle will take place tomorrow or that no naval battle will take place tomorrow. But if we assume the possibility of several future development branches, we get the picture of a time tree as in Fig. 1.1(b), where the actualized now (•) is followed by several possible overall states in the next temporal period (e.g., days), which again can be followed by several possible overall states in the next but one temporal period, etc. The dotted lines indicate the possibility of a future development branch. The dotted lines also indicate that in past time periods, several possibilities may have existed, which were not realized, however. The past is therefore a linearly arranged sequence of total states to the following time periods. The assertion that N (p ∨ ¬p) is true at a given temporal period holds in both development models. At the present time interval (•), in both Figs. 1.1(a) and 1.1(b), it is true that the partial state, denoted by p, either is or is not a component of any overall state following in the next time interval (tertium non datur ). However, the assertion that N p ∨ N ¬p is true at a given time interval is generally true only in the linear world (Fig. 1.1(a)). Indeed, in the case of a branched future world (Fig. 1.1(b)), it would have to be true at the present time interval that the partial state denoted by p is part of any subsequent

Philosophical Roots of Temporal Logic

5

(a)

(b)

Fig. 1.1.

(a) Linear time. (b) Branching tree of time.

overall state in the next time interval (N p), or it would have to be true that the partial state denoted by p does not belong to any subsequent overall state (N ¬p).5 In the example of an ancient sea battle, the condition of the already present truth N p is probably never satisfied. However, one can easily think of conditions where N ¬p is already true today. For example, all ships are distributed in the world today in such a way that they could not possibly be gathered into a fleet tomorrow. If N ¬p is true, then the truth of N p ∨ N ¬p also follows. Linear and branching time are relevant for several arguments and positions in the history of philosophy. According to William of Ockham (1288–1347), propositions about the future have a definite truth value, although only God can know them. But Ockham did not support determinism or fatalism that denies human free will. The question arises whether the branching-time model needs to assume a privileged branch.6 Obviously, Ockham rejected the Aristotelian idea that, in order to preserve the contingency of the future, future contingents must be deemed neither true nor false. Later, C. S. Peirce (1839–1914) criticized the assumption that future contingents can have definite truth values. For Peirce, only the present and past are actualized. The future is open to possibility and necessity.

5 6

von Wright (1974, pp. 161–178). Santelli (2022).

6

1.1.3.

Temporal Logic: From Philosophy and Proof Theory

Temporal logic of modern physics

The debate on Aristotelian temporal logic illustrated that concepts of temporal modalities often depend on physical assumptions. In modern physics, the Ptolemaic planetary model with its uniform circular motions is no longer a reference system for time measurement. Celestial bodies are understood as reference systems in which clocks measure time. To the question “What is time?” Einstein had answered succinctly, “Time is what a clock measures.” According to this, celestial bodies in the Universe are moving reference systems with space and time coordinates, in which lengths are measured with scales and time with clocks. Newton still assumed the “resting” Universe as absolute space with absolute time, with which all moving clocks can be synchronized. According to Einstein’s special theory of relativity, time measurement is no longer absolute but becomes path dependent. Every moving body therefore has its own relativistic time (“proper time”). Thus, there is no absolute distinction between the past, present, and future but only relative to the observer who has his or her proper time. This relativistic insight is reflected in a famous quotation of Einstein which he mentioned at the occasion of the death of his Swiss friend Michele Besso in March, 1955: Now he has also preceded me a little with his farewell to this strange world. That means nothing. For us believers in physics, the distinction between past, present and future has only the significance of an illusion, albeit a stubborn one.

As a physicist, Einstein does not mean a subjective time of experience but a metrically, topologically, and objectively precise concept of time. For St. Augustine, the distinction of past, present, and future is only in the mind (“soul”) of an observer: But this much is now clear and distinct: neither the future nor the past “is,” and not actually can be said: times “are” three: past, present, and future; . . . For it is these times as a kind of trinity in the soul, and elsewhere I do not see them; and there is the presence of the past, namely memory; the presence of the present, namely sight; the presence of the future, namely

Philosophical Roots of Temporal Logic

7

expectation. If we are allowed to speak in this way, then I also see three times and admit: yes, there are three.7

In general relativity, spatio-temporal reference systems that are under the influence of gravitational forces are taken into account. This causes space-time to be “curved.” In Section 3.1, it is shown what changes this results in for temporal modalities in the temporal logic. On the basis of the general theory of relativity, the cosmological standard models for the possible developments of the Universe can be derived mathematically. The differences between linear- and branched-time logic with time trees must be taken into account. Some models allow finite and infinite temporal evolutions with an initial singularity (“Big Bang”) and final singularity (“Big Crush”). In the Christian tradition of philosophy, an initial beginning of time (“Creation”) and an ending of time (“Day of Judgment”) were already assumed (e.g., by St. Augustine). Black holes, whose existence follows from general relativity, are also physically time singularities in which time evolutions (trajectories) end. In the dawning age of space travel, time travel has become interesting and is theoretically possible in some models. Particularly noteworthy is G¨ odel’s solution to Einstein’s gravitational equation, which allows for circular time trajectories. For a physical decision on these time models, however, quantum mechanics must also be taken into account. According to Heisenberg’s uncertainty principle, time measurement depends on Planck’s quantum of action: The more precisely the time of a quantum system (e.g., an elementary particle) is measured, the more the measured value of its energy scatters and vice versa. Time and energy are conjugate quantities in quantum mechanics. The path of an elementary particle from an initial location to a future location is no longer determined by a unique time trajectory (line). Rather, according to Feynman’s path integral, all possible connecting paths between the two locations must be taken into account (“summed up”).

7

Augustine (2016, Book XI).

8

Temporal Logic: From Philosophy and Proof Theory

Classical physics, relativity, and quantum mechanics, however, leave untouched an important aspect of time that is essential to our everyday understanding of time. We experience time as irreversible: We are born, age, and die. The reversal has never been observed. In contrast, the basic laws of classical physics, relativity, and quantum mechanics are time-invariant, i.e., they also allow for the reversible time transformation t → −t. In thermodynamics, however, irreversible processes are studied: Milk poured into coffee mixes into latte. The reversal has never been observed. Traditional temporal logic often assumes an everyday understanding of time with irreversible development that would first have to be physically justified by statistical mechanics and thermodynamics. In that case, as shown in Section 3.1, time can no longer be understood as a parameter (parameter time) but as an operator that describes irreversible entropy processes of complex statistical systems near and far away from thermal equilibrium (operator time).

1.2.

Toward Formal Systems of Temporal Logic

From the late 19th to the early 20th century, new concepts of temporal logic were developed against the background of new philosophical tendencies and emerging formal logic. Therefore, on the historical path to formal systems of temporal logic, we start with the remarkable, but less considered, philosophical and formal studies of the mathematician and philosopher Oskar Becker in 1930. In an essay titled “On the Logic of Modalities,” he states8 : Considered from the standpoint of modalities [. . .] the problem of mathematics and temporality [. . .] receives a strong, though unilateral, clarification. [. . .] The “logic” of modalities has a deep relation to temporality.

This section sets out to formally explore the relation between modalities and temporality based on Becker’s considerations.

8 Becker (1930, p. 43, op.). Henceforth, page numbers of references to Becker (1930) are from the original pagination.

Philosophical Roots of Temporal Logic

9

Let us first state that temporal propositions contain some reference to time conditions. Classical logic consists of timeless propositions, such as: A: “The sun is a star.” B: “The sun is rising.” C: “The sun is setting.” Proposition A is timeless since it is true in the past, present, and future. Propositions B and C refer to the time condition “now.” While formulas of classical logic refer to static states and properties, formulas of temporal logic describe sequences of state changes. A temporal logic results from an extension of a classical propositional or predicate logic through temporal operators which introduce temporalized modalities.9 There are at least four temporal operators, G, H, F, and P: — — — —

G (Guarantee): H (History): F (Future): P (Past):

GA: the proposition that A will be always true. HA: the proposition that A was always true. FA: the proposition that A will be true. PA: the proposition that A has been true.

The operators “G” and “H” denote necessity both in the past and the future. The operators “F” and “P” denote possibility both in the past and the future. For the sake of simplicity, we denote them by the operators normally used in the current logic of alethic modalities: necessity () and possibility (♦), with an index “p” or “f” to refer to the past or the future, respectively. Thus: — — — —

G (Guarantee): H (History): F (Future): P (Past):

f A: the proposition that A will be always true. p A: the proposition that A was always true. ♦f A: the proposition that A will be true. ♦p A: the proposition that A has been true.

In principle, classical logic can express temporal properties too but through complicated formulas with quantifiers relating to points of time. 9

See van Benthem (1983).

Temporal Logic: From Philosophy and Proof Theory

10

Linear time refers to sequences of states. If linearity of time is assumed, additional operators, such as “next” and “until,” can be introduced. In this case, each state has exactly one future. In branching-time logic, a state can have several futures that refer to a branching tree of states. Tree models are used to model nondeterministic developments. Before coming to a formal system of temporal logic, we analyze Becker’s text against the background of the main philosophical questions about the nature and the properties of time10 : Does time have a beginning or an end? Is time linear and directional, branching, or circular? Does Becker comprehend time as instant-based or intervalbased? Does he take time to be discrete, dense, or continuous? Does our perception of time depend on the structure of consciousness? Does it depend on physical measurement? It turns out that Becker’s analysis is inspired by mathematical intuitionism. The final question is: How do we best choose a formal language that is suitable to express Becker’s ideas about time? The formal systems in question are even remarkable for applications in linguistics, computer science, and artificial intelligence. 1.2.1.

Modo recto and modo obliquo

“One can [. . .] say” — so says Becker in “On the Logic of Modalities” — “that the philosophical ‘discovery’ of the ‘modi obliqui,’ possibility and necessity, which have acquired their ontological acknowledgement only after the ‘modus rectus,’ the ‘truth’ (reality) (and its opposite, the ‘falsity’ or ‘unreality’), represent a first step towards the discovery of the ‘authentic’ temporality. For, the characteristic ‘modi’ of the latter, the future and the ‘past,’ can be literally designated as ‘modi obliqui temporales’ as opposed to the temporal ‘modo recto,’ that is, the ‘present.’”11 Let us first note that the passage just quoted says that (i) there is an authentic temporality, even if Becker doesn’t say what it is, that (ii) the alethic modalities, possibility and necessity, pave the way to discover such an authentic temporality, and that (iii) the characteristic modi of the latter are the future and the past. 10 11

Mainzer (2002). Becker (1930, p. 43).

Philosophical Roots of Temporal Logic

11

What about modo recto/modo obliquo? Modo recto/modo obliquo is a terminology that, as readers familiar with the Austrian-Polish tradition would know, is often associated with the name of Franz Brentano. Roughly, one represents something modo recto if one refers directly to it and modo obliquo if it is a secondary object of one’s intention. So, if one thinks of Dr. Bernard Bolzano’s edifying speeches to the academic youth, one represents, according to Brentano, the edifying speeches modo recto and the academic youth modo obliquo. We will later confront Brentano’s use of the expressions modo recto/modo obliquo at a variance with Becker’s. For the moment, we just state that they are different and focus on the latter. According to Becker, the expressions modus rectus — obliquus come from Latin grammar and correspond to the verbal moods rather than to the verbal tenses: The indicative is the “direct” mood, the subjunctive is the “indirect” (or “oblique”) mood. The indicative corresponds to the actuality and the subjunctive to the non-actuality of a process that takes place over time. Becker singles out, prima facie, three modalities: contingency (recto), possibility and necessity (obliquo), and three temporal dimensions: present, past, and future. He writes12 : The expressions “modus rectus — obliquus” [. . .] are [. . .] modelled [. . .] on the names of the “verbal modes” [. . .]. The “tempora” of the verb, not its modi, seem to denote linguistically the temporal modalities. However, the “tempora” only denote the non-analysed or already constituted temporality, that is a temporality that has already been subsumed under the schema of an objective process (event). The origin of time, the “enactment-character [vollzugsm¨ aßige Weise]” of its peculiar “temporalizing itself [Sich-Zeitigens]” is rather rendered through the modi verbi.

Thus, let us state that Becker’s considerations are guided by the use of verbal moods and not of verbal tenses in natural language, at a variance with most temporal logics, as, for instance, Prior’s logics, which are rather inspired by the use of tenses in natural language. Becker seems to take the verbal modes to be the syntactic expression of the conceptual pair realis — irrealis: The indicative is seen as the syntactic expression of the realis and the subjunctive as the syntactic 12

Becker (1930, p. 43, fn.).

Temporal Logic: From Philosophy and Proof Theory

12

expression of the irrealis. In her book, The Languages of Native North America, Marianne Mithun characterizes the difference as follows: “The realis portrays situations as actualized, as having occurred or actually occurring, knowable through direct perception. The irrealis portrays situations as purely within the realm of thought, knowable only through imagination.”13 Summing up, according to Becker, the alethic modalities of possibility and necessity have an inner connection with the temporal modalities of future and past as opposed to the present. The future and the past are marked as modi obliqui temporales, and the present is marked as modo recto. Obliqui alludes to the fact that both the future and past are non-factual or non-actual. For instance, what is in the future has not yet occurred and can therefore only be in the realm of possibility. But also, what is located in the past has already occurred and is therefore non-actual. It seems to be a common trait of natural languages to render the opposition between realis and irrealis by means of the distinction between indicative and subjunctive.

1.2.2.

Intuitionism and the relationship of modalities and temporality

Becker writes: “The origin of time [. . .] is rather rendered through the modi verbi.” When he talks of time this way, Becker refers to time as a structure of the mind. “Time” — so says Kant in his Critique of Pure Reason — “is not an empirical concept that is somehow drawn from experience.”14 We would not perceive simultaneity or succession if our consciousness would not structure what reaches our sense organs through time. Only if the sense of time is given a priori, before any experience, it is possible to represent several things existing at one and the same time (simultaneously) or in different times (successively). Kant conceives time as a necessary a priori structure of our consciousness. This means that we continuously organize what we experience through time.

13 14

Mithun (1999, p. 173). Kant (1787, p. B46).

Philosophical Roots of Temporal Logic

13

Kant assumed that human understanding is made possible by two forms of intuition, which are given to the subject before (a priori ) any empirical experience (1787): (1) Human subjects have an intuition of spatial forms which are constructed step by step through certain rules (e.g., a circle and ruler in geometry). (2) Human subjects have an intuition of sequential temporal points which are constructed step by step by adding a unit according to the rule of counting in arithmetic. On the one hand, the spatial and temporal forms of intuition enable the human subject to understand empirical objects and events in space and time. For Kant, human subjects are equipped a priori with an intuitive understanding of space and time, which makes possible their orientation in the world. On the other hand, the spatial and temporal forms of intuition provide the schemes of geometric and arithmetic constructions and, by that, the foundations of mathematics. Kant illustrates the temporal form of intuition by an unlimited sequence of points: ., .., . . . , . . . , which is extended step by step by a unique point. In our temporal intuition, these points represent a sequence of present moments (“now”) which are passing in a linear order. Formally, this process corresponds to the construction of the natural numbers 1, 1+1, 1+1+ 1, . . . or in the usual abbreviation of decimal numbers 1, 2, 3, . . . according to the rule of counting. After Kant, the mathematician Leopold Kronecker (1823–1891) claimed that natural numbers are “made by God,” but “all the rest” is made by humans (according to Weber, 1893).15 Independent of Kronecker’s reference to God, Kant argues on the same line: Natural numbers are given to the subject by the temporal form of intuition and its arithmetical scheme of counting. “All the rest” must be reduced to the fundamental form of arithmetical construction. 15 Die ganzen Zahlen hat der liebe Gott gemacht, alles andere ist Menschenwerk. (Weber, 1893, p. 19).

14

Temporal Logic: From Philosophy and Proof Theory

Thus, for Kant and Kronecker, infinity is not given but only a fa¸con de parler (Poincar´e) or “regular idea” (Kant) for the unlimited process of counting. According to Brouwer, mathematical truth is founded by constructions of a “creative subject.”16 In his intuitionistic foundation of mathematics, he followed Kant’s explanation of human understanding by human subjects. Brouwer derived radical consequences for the truth of theorems and their proofs: In temporal intuition, only finite sequences of natural numbers can be constructed.17 Thus, for Brouwer, mathematical truth depends on finite stages of realization in time by a creative subject. Later, Georg Kreisel suggested the following formal definition.18 A creative subject has a proof of proposition A at stage m (in  short: m A) iff  (CS1) For any proposition A, m A is a decidable function of A, i.e.,    x A ; ∀x ∈ N x A ∨ ¬   (CS2) ∀x, y ∈ N(  x A → ( x+y A)); (CS3) ∃x ∈ N( x A) ↔ A. The idea that only finite initial segments of infinite sequences are given leads to Brouwer’s concept of choice sequences.19 A choice sequence means a process which is not necessarily predetermined by some law or algorithm:20 (i) α lawless sequence :≡ at any stage of α0, α1, α2, . . ., only finitely many values of α are known. (ii) α lawlike sequence :≡ all values of α are known by a law (i.e., algorithm). Lawless sequences can be illustrated by sequences of casts with a die after some already realized casts in the beginning. The die can be 16

Brouwer (1907). See Mainzer (2018, Chapter 6). 18 See Kreisel (1967), Sundholm (2014). 19 See Mainzer (1977). 20 See Troelstra (1968), Dummett (1977). 17

Philosophical Roots of Temporal Logic

15

thrown in arbitrarily many times. Nevertheless, at any stage, only finitely many casts are known, and the following cast is unknown. In lawlike sequences, all stages are predetermined by a law. An example is the sequence of even natural numbers with law αn = 2n or the sequence of decimal places of real number π. A radical departure from classical mathematics occurred when choice sequences were allowed in real analysis. If real numbers are defined by fundamental sequences to be given by choice sequences, then the statement “all total functions from R to R are continuous” can be proven intuitionistically. At first glance, this statement seems to be false in classical mathematics. But the meaning of the condition “function f from R to R is total” is obviously much stronger if R is extended to real numbers defined via fundamental sequences as choice sequences21 (Brouwer, 1927). Therefore, we get a different intuitionistic meaning of classical concepts. In intuitionistic mathematics, infinite objects are considered as ever growing and never finished. Therefore, sets need a new foundation. The intuitionistic analog of a set is a so-called spread, which is defined as a countably branching tree labeled with natural numbers or other finite objects and containing only infinite paths. A fan is a finitely branching spread. A branch is an intuitionistic choice sequence, i.e., an infinite sequence of numbers (or finite objects) created step by step by a law (algorithm) or without a law (e.g., coin). A lawless sequence is ever unfinished. The only available information about a lawless sequence at any stage is the initial segment of the sequence created thus far. Here, temporal logic comes in because, for Brouwer as well as for Becker, time sequences and sequences of numbers are closely connected: “The reason why number and time belong together is obvious: The infinite series of numbers is — by its infinity — determined by the potentiality and with that by futureness. Again, the special character of the ‘obliquitas’ is decisive.”22 Thus, following Brouwer and Becker, future is realized in finite stages, such as intuitionistic spreads, i.e., countably branching trees with infinite paths. Only the initial parts of the trees are given as

21 22

Brouwer (1927). Becker (1930, p. 46).

16

Temporal Logic: From Philosophy and Proof Theory

past and presence. Intuitionistically, continuity of time is essential. Concerning the spreads of branching paths in the future, they are realized in finite steps. Becker states in the end of his essay23 : “The idea of a path contains finity [. . .] the most abstract and ‘most free’ sciences of mathesis universalis are primarily and principally determined by the concept of finity.” 1.2.3.

Becker’s modal-logical interpretation of intuitionism

In his 1930 essay, “On the Logic of Modalities,” Becker was the first logician and mathematician to put forward the idea of a modal interpretation of intuitionistic logic, more precisely, the idea of a possible sound and faithful translation of intuitionistic logic into modal logic. However, the first actual translation is to be found in a one-page celebrated and influential paper entitled “An interpretation of the intuitionistic propositional calculus” written in 1933 by Kurt G¨odel.24 The basic idea of G¨odel is similar to the one Becker outlines in his essay. Becker suggests adding to classical logic the predicates “(. . .) is provable,” “(. . .) is such, that its negation is provable,” and “(. . .) is undecided.” Such predicates should express Brouwer’s primitive logical concepts. Similarly, G¨odel’s idea is to add to the language of classical propositional logic the unary operator “it is provable that (. . .),” denoted by “B,” and to an axiomatic calculus for classical propositional logic three axioms and one rule of inference. The axioms correspond exactly to the modal schemas K, T , and 425 that characterize modal logics that are nowadays standard, and the rule of inference is the necessitation rule that is contained in all normal modal systems. Note, incidentally, that both Becker and G¨ odel seem to take the predicate “(. . .) is provable” and the operator “it is provable that (. . .)” as conveying the same piece of information. Actually, the predicate “(. . .) is provable” denotes the property of a proposition to be provable, while the operator “it is provable that (. . .)” takes a 23

Becker (1930, p. 51). G¨ odel (1933). 25 For a formal definition of the normal modal logics and an explanation of their characterizing axioms see Chapter 3. 24

Philosophical Roots of Temporal Logic

17

proposition as input and gives a different proposition as output. (Unfortunately, this practice of systematically neglecting the difference between predicate and operator is, even nowadays, quite widespread among logicians.) G¨odel writes26 : One can interpret Heyting’s propositional calculus by means of the notions of the ordinary propositional calculus and the notion “p is provable” (written “Bp”), if one adopts for that notion the following system S of axioms: 1. Bp → p if it is provable that p, then it is true that p 2. Bp → ((B(p → q) → Bq) if it is provable that p and it is provable that p implies q, then it is provable that q 3. Bp → BBp if it is provable that p, then it is provable that it is provable that p In addition, [. . .] the new rule of inference is to be added A BA From A, it is provable that A may be inferred

By substituting throughout the operator “B” (“it is provable that (. . .)”) by the operator “” (“it is necessary that (. . .)”), one obtains one of the modal logical systems that are nowadays standard, namely Lewis’s system S4. Becker did also tentatively consider a number of possible ways to extend Lewis’s S3 in order to get a modal system with a finite number of irreducible modalities, or even an infinite number of irreducible modalities, yet all pairwise comparable with respect to logical strength. In the current context, the most interesting of Becker’s “experiments” is the one he discusses at length in Section 5, Part I, of his essay.27 Becker tackles here in a more abstract way the problem of “completing” Lewis’s calculus in such a way that in the resulting 26 27

G¨ odel (1933, p. 301). Becker (1930, pp. 25–30).

18

Temporal Logic: From Philosophy and Proof Theory

system, let us call it SM,28 independently from the number (finite or infinite) of irreducible modalities, any two (positive) modalities (i.e., combinations of the two elementary modalities  and ♦) be comparable with respect to logical strength: One can try to free oneself from all requirements that are imposed by special material assumptions, and introduce solely the most general formal conditions of a calculus of modalities. Firstly, one can drop the requirement that the reduction to a finite number of primitive modalities be possible. [. . .] One will, however, keep the general requirement of a linear rank order of modalities, whereby the implicational relation of any two distinct modalities is univocally determined. Otherwise, a modality could no longer be univocally determined by its “rank of logical strength.” Such requirement should be in any case the upper bound of our formal freedom. Now, the question is, on the one hand, whether Lewis’s calculus [S3] satisfies this requirement and, on the other hand, whether suitable axioms for a theory of the rank order of modalities can be established independently from Lewis’s calculus. The answer to the first question is negative, while the answer to the second question is positive.29

At the end of a rather elaborate argument, he arrives at the claim that a stepwise generalization of Brouwer’s schema: B1 = (A → ♦A), B2 = (A → ♦A), B3 = (A → ♦A), .. . provides an infinite number of axiomatic conditions, which added to a given base modal calculus (which he does not explicitly specify) together with three meta-rules (R1 ) − (R3 ),30 produce a calculus SM whose modalities, although infinite in number, are linearly ordered. 28

Centrone and Minari (2019, p. 54). Becker (1930, p. 25). 30 These rules impose that the logical strength relations between (composed) modalities be suitably preserved under “multiplication” of modalities. 29

Philosophical Roots of Temporal Logic

19

He leaves as an open problem the question whether all these infinite modalities of SM are irreducible. Concerning SM, Becker’s proof that the (supposedly infinite) modalities of this system are linearly ordered is very clever and correct. Unfortunately, he did not notice that, if the base calculus is Lewis’s S3, already the first two schemas, B1 and B2 , of the infinite sequence of schemas {Bn }n≥0 he postulated, together with the rule R2 , are sufficient to prove the schema (A → ♦A) — and thus to make SM equivalent to the normal modal system S5. However, it can be proved31 that by choosing a suitable (semantically characterized) base modal system weaker than S2 (and incomparable with S1), Becker’s “system SM” does not collapse into S5 while having the properties that Becker expected.

1.2.4.

Intuitionism and formal systems of temporal logic

There is a rich variety of models of time: Is time instant-based or interval-based, or is it discrete, dense, or continuous? Does time have a beginning or an end? Is time linear, branching,32 or circular? These models must satisfy appropriate formal systems of temporal logic. The flow of time is defined by a model T = T, ≺ with a (nonempty) set T of time instants and a binary relation ≺ of precedence.33 In a discrete (forward, resp. backward) model, each time instant which has a successor, resp. predecessor, also has an immediate successor, resp. predecessor. In dense models, there is another instant between any two subsequent time instants. In an instantbased model of time T = T, ≺ , many properties can be formulated as first-order sentences, such as reflexivity, irreflexivity, transitivity, asymmetry, linearity, beginning, end, no beginning, no end, density, and discreteness. Second-order sentences with quantification over sets are required for properties, such as continuity and well-ordering. Here, the different meaning of classical and intuitionistic sets as spreads comes in.

31

See Centrone and Minari (2022). See Belnap (1992). 33 Galton (2008, p. 3). 32

Temporal Logic: From Philosophy and Proof Theory

20

Obviously, Becker argues for an intuitionistic semantics of temporal logic with spreading temporal developments in finite steps. If events with duration are under consideration, it is sometimes more convenient to use interval-based models instead of instant-based models of time.34 Interval-based models avoid the paradox of Zeno’s flying arrow: If at each instant the flying arrow stands still, how is movement possible? An example that also requires interval-based reasoning is: “The housebreaker was robbing the house, when the police came.” Interval-based models are richer than instant-based models of time because, besides temporal precedence ≺ between time instants, they also consider inclusion and overlapping of time intervals. From a mathematical point of view, instants can be considered as infinitesimal small intervals. The first formal system TL of temporal logic was introduced by Prior,35 who was motivated by the use of tense in natural languages. That reminds us of Becker’s analysis of modo recto and modo obliquo. In TL, the propositional language with atomic propositions and classical logical connectives is extended by Prior with four temporal operators: P : “It was the case that . . . ” (with P for “past”), F : “It will be the case that . . . ” (with F for “future”), G: “It always will be the case that . . . ,” H: “It always was the case that . . . .” The operators G and H can be defined by P and F and vice versa with G :≡ ¬P ¬

H :≡ ¬F ¬.

If π is an infinite path in a spread, then these operators can be combined, for example: π |= F Gϕ : “At a certain instant, ϕ is true at all future states of the path,” π |= GF ϕ : “ϕ is true at infinitely many states on the path.” 34 35

See Allen and Hayes (1989). See Prior (1957).

Philosophical Roots of Temporal Logic

21

Thus, the syntax of TL is specified with the grammar ϕ, ψ := a|⊥|¬ϕ|ϕ ∨ ψ|P ϕ|F ϕ with atomic formula a. A model is given by T = T, ≺, V with a frame (Kripke) T, ≺ and valuation function V which assigns a truth value to each pair (a, t) of an atomic formula and a time value. T |= ϕ[t] means that ϕ is true in a model T = T, ≺, V at time t. The following formal system is called the minimal temporal logic Kt .36 Axioms: ϕ (with ϕ tautology of first-order logic) G(ϕ → ψ) → (Gϕ → Gψ), H(ϕ → ψ) → (Hϕ → Hψ), ϕ → GPϕ, ϕ → HFϕ, with rules of deduction ϕ → ψϕ ψ ϕ Gϕ ϕ Hϕ

(modus ponens), (with ϕ tautology), (with ϕ tautology),

An example which can be derived is Becker’s rule: ϕ→ψ Tϕ → Tψ with a tense T for any sequence of operators G, H, F, and P. A translation from statements of TL into first-order logic with one free variable t representing the present instant of time can be defined recursively.

36

Rescher and Urquart (1971, Chapter VI).

22

Temporal Logic: From Philosophy and Proof Theory

Additional axioms can be taken to represent further assumptions of time. Examples37 are Transitivity (TRANS): Reflexivity (REF): Linearity (LIN): Well-ordering with transitivity (WELLORD): Time without end (NOEND): Induction (IND):

Gϕ → GGϕ, Hϕ → HHϕ, FFϕ → Fϕ, or PPϕ → Pϕ; Gϕ → ϕ, Hϕ → ϕ, ϕ → Fϕ, or ϕ → Pϕ; (PFϕ∨FPϕ) → (Pϕ∨ϕ∨Fϕ); H(Hϕ → ϕ) → Hϕ; F or Gϕ → Fϕ; Fϕ ∧ G(ϕ → Fϕ) → GFϕ.

Minimal temporal logic Kt can now be extended to systems of temporal logic, for example: K4t := Kt + TRANS : all transitive frames, S4t := Kt + REF + TRANS : all partial orderings, Lt := Kt + TRANS + LIN : all strict linear orderings, Nt := Lt +NOEND + IND + WELLORD : N, < natural numbers. These temporal logic systems are decidable.38 Over discrete and linear models of time, the basic temporal logic can be extended by a Next Time operator X and the operators Since S and Until U. Xϕ is true at an instant of time t iff ϕ is true at the immediate successor s(t) of t. The Next Time operator satisfies the axioms X(ϕ → ψ) → (Xϕ → Xψ) and X¬ϕ ↔ ¬Xϕ. The binary operator ϕSψ means that ϕ has been the case since a time when ψ was the case. ϕUψ means that ϕ will be the case until a time when ψ is the case. The extension of TL with these operators lead to the linear-time temporal logic (LTL). LTL is interpreted over 37 38

Galton (2008, p. 10). Rescher and Urquart (1971), Burgess and Gurevich (1985).

Philosophical Roots of Temporal Logic

23

the structure of natural numbers with a reflexive temporal ordering. Obviously, LTL is appropriate for Becker’s intuitionistic assumptions of time. Practically, LTL is convenient to express assertions on infinite computations in computer science. From an intuitionistic point of view, linear time only refers to one path in a branching spread which represents alternative possibilities for the future. A spread is graphically represented by a branching tree. Openness of future means intuitionistically that the temporal structure T, ≺ is never given as a closed infinity but growing in finite steps: “The idea of a path contains finity [. . .].”39 It turns out that in a branching time, two alternative semantics are possible for the future operator F , which were denoted by Prior as Peircean and Ockhamist interpretations.40 In the Peircean branching-time logic, the future operator F means that “it will necessarily be the case that . . ..” Consequently, future truth is assumed as truth in all possible futures. But with this understanding, the future operator F can no longer be dual to the strong future operator G: Fϕ is true at an instant t iff every temporal development passing through t contains some later instant t at which ϕ is true. The strong future operator G does not change its meaning (“It will necessarily always be the case . . .”). Therefore, in the Peircean version, G must be supplemented to the formal language as additional primitive operator and cannot be reduced to F. In Peircean temporal logic, the formula ϕ → HFϕ is no longer valid. From an intuitionistic point of view, the principle of excluded middle is crucial. The Peircean interpretation preserves the principle of excluded middle as ϕ ∨ ¬ϕ, but it violates the principle of future excluded middle Fϕ ∨ F¬ϕ. This principle means that, eventually, either ϕ or ¬ϕ will be the case. In the alternative Ockhamist interpretation, truth is not only relativized to a time instant in the temporal tree but also to a temporal development (“history”) passing through this instant. The operator F now means “With respect to the given history, it will be the case that . . ..” Therefore, an Ockhamist tree model is a triple T = T, ≺, V with tree T, ≺ and valuation function V which assigns a truth value

39 40

Becker (1930, p. 51). Prior (1967).

24

Temporal Logic: From Philosophy and Proof Theory

to each triple (a, t, h) of an atomic formula a, a time value t, and a history h. Then, T , t, h |= ϕ[t] means that ϕ is true in a model T = T, ≺, V at time t and history h. All temporal formulae which are valid in linear models of time are also true at all instant-history pairs, i.e., valid in the Ockhamist sense. Therefore, the Ockhamist interpretation confirms the principle of future excluded middle Fϕ ∨ F¬ϕ if time does not end. It also validates the formula ϕ → HFϕ. But the principle of the necessity of the past Pϕ →  Pϕ is violated. Decidable and strongly complete axiomatizations of intuitionistic temporal logic were recently proven.41 1.2.5.

Outlook on temporal logic in computer science

Logical systems of branching time are not only interesting philosophically but also for computer science.42 Peircean and Ockhamist branching-time temporal logics correspond to the computational tree logics CTL43 and CTL∗ .44 In computer science, branching time is understood as a computation tree. In this case, histories have the order type of natural numbers, such as in intuitionistic mathematics. In computer science, trees of data are unfolded by discrete transition systems which generate possible infinite computations. In general, a transition system is defined by actions or processes which realize transitions between system states. The infinite behavior of transition systems can be expressed in terms of paths and computation. Transition systems are ubiquitous in computer science and can be specified as finite-state automata, pushdown automata, Turing machines, etc.45 Practically, all kinds of computers or clocks can be considered as transition systems. Thus, transition systems deliver an operational semantics of temporal logic. The computation tree logic CTL∗ follows the Ockhamist interpretation of temporal logic. The reflexive future operators G and U and the Next Time operator X are interpreted on computation trees. 41

Boudou et al. (2017), Chopoghloo and Monini (2021). See Gabbay et al. (1994, 2000), Bolc and Szalas (1995). 43 Emerson and Clarke (1982). 44 Emerson and Halpern (1985). 45 Demri et al. (2016, Chapter 3). 42

Philosophical Roots of Temporal Logic

25

An evaluation is relativized to an instant of time defined as state of a transition system and a history defined as a computation path. The computation tree logic CTL follows the Peircean interpretation of temporal logic. Each of the temporal operators G, U, and X is immediately preceded by a modal operator  or ♦. Philosophically, transition systems overcome the restriction of temporal logic to the temporal structure of human consciousness. A constructive and intuitionistic semantics of temporal logic is interesting for cognitive systems with their conscious structure of time in the tradition of Kant and Husserl, and Becker and Brouwer. But it can also be realized by machines in computer science and artificial intelligence.46 For example, in computer science, the correct behavior of a reactive program with nonterminating computations requests to specify and verify the acceptable infinite executions of the program. In concurrent programs with processors working in parallel, their interaction and synchronization must also be specified and verified.47 An infinite computation is formulized by the linear-time logic LTL. Nondeterministic systems are modeled in a branchingtime logic. Besides LTL, CTL and CTL∗ are important logical tools to specify and verify reactive and concurrent computational systems. In artificial intelligence, nowadays, machine learning48 applications need temporal organization of computational processes. AIsupported translation systems need an operational semantics of tenses in natural languages. Cognitive robots (e.g., autonomous cars) with self-organizing abilities need a kind of spatial–temporal reasoning. All that was, of course, not foreseen by Becker as future applications of temporal logic. But his constructive and intuitionistic approach opens a future perspective for an operational semantics of temporal logic.

46

Ohrstrom and Hasle (1995), Fischer et al. (2005). Pnueli (1977, pp. 46–57). 48 Mainzer (2019, Chapter 11.1). 47

This page intentionally left blank

Chapter 2

Computational Foundations of Temporal Logic

In Section 1.2, we already mentioned transition systems (TSs) as general models of computational systems. They consist of states which represent certain configurations and transitions which represent possible state changes. Changes are determined by actions. In this way, finite state machines, automata, pushdown systems, Turing machines, counter machines, and supercomputers can be modeled. But real-life systems can also be modeled by TSs, such as clocks, smartphones, vending machines, and robots. All kinds of computational architectures, such as sequential, parallel, reactive, and interactive processes (e.g., in robotics), can be realized by TSs. Geometrically, they can be illustrated as directed graphs with labels on vertices or edges, which allow software verification by model checking. Definition of transition systems:1 A routed and interpreted transition system (ITS) is a structure     a , L, s T = S, −→ a∈Act

consisting of (1) a set S = ∅ of states, (2) a set Act of names (labels) of actions acting on states and producing successor states, 1

Demri et al. (2016, Section 3.1.1). 27

28

Temporal Logic: From Philosophy and Proof Theory

(a)

(b)

Fig. 2.1. (a) A transition system for counting modulo 4. (b) Mono-transition system (N, succ). Source: Similar to Demri et al. (2016, Fig. 3.1).

a

(3) a binary transition relation −→⊆ S × S associated with every action name a ∈ Act, (4) a set PROP of atomic propositions holding in a particular set of states, (5) a labeling function L : S → P(PROP) assigning to every state s the set L(s) of atomic propositions true at s (called the description label of that state), (6) a designated initial state s called the root of T . A simple example is a transition system with four states modeling the development of an integer variable modulo 4 (Fig. 2.1(a)). The transition system has two actions, inc for increment and dec for decrement, and no atomic propositions. The initial states are depicted by an incoming arrow. In mono-transition systems, the action label is replaced by a binary relation R on S. For example, in Fig. 2.1(b), the mono-transition system (N, succ) generates 0, 1, 2, . . . with the successor function succ on N. A path π in a transition system T is a finite or an infinite sequence of states and names of actions, which transform every state into its

Computational Foundations of Temporal Logic a

29

a

0 1 successor, s0 −→ s1 −→ s2 · · · . The path is rooted in s0 . A path with n transitions has length |π| = n. A finite path in a transition system is a cycle if its first and last states coincide. A loop is a cycle a of length 1 with s −→ s. A transition system is

(1) acyclic if it does not contain cycles, (2) forest-like if it is acyclic and every state has at most one predecessor state, (3) tree-like if it is forest-like, in which at most one state has no predecessor states. Such a state is called root and the transition system is called tree. a

A computation or trace in a transition system T = (S, {−→}a∈Act , L) is a sequence of state descriptions and actions along a path with a0 a1 L(s1 ) −→ L(s2 ) · · · . L(s0 ) −→ 2.1.

Basic Modal Logic

Basic modal logic (BML) is the simplest temporal logic for reasoning about computational transition systems. Each transition relation of a transition system is associated with a modal operator, stating what must be true in all successors of the current state or what may be true in some successors of the current state: The notation AXa relates to all paths (A) starting from the current state to the next state (X) with action a. The notation EXa relates to some path (E) starting from the current state to the next state (X) with action a.2 2.1.1.

Syntax of BML

In the formal language of BML, a BML formula is inductively defined by ϕ := p|⊥|¬ϕ|ϕ ∧ ϕ| EXa ϕ, 2

BML is a variant of the modal logic.

Temporal Logic: From Philosophy and Proof Theory

30

Fig. 2.2. Transition system for proving the truth of certain BML formula. Source: After Demri et al. (2016, Fig. 5.1).

with p ∈ PROP (set of propositions) and a ∈ Act (set of actions). The other logical connectives are defined as usual. The dual modal operator of EXa is defined by AXa := ¬EXa ¬ϕ for all a ∈ Act. 2.1.2.

Semantics of BML3

The semantics of BML relates  to the truth of a formula ϕ at a state a , L), i.e., T , s |= ϕ, which can be s of an ITS T = (S, −→ defined inductively by

a∈Act

T , s |= ⊥; T , s |= p iff p ∈ L(s); T , s |= ¬ϕ iff T , s |= ϕ; T , s |= ϕ ∧ ψ iff T , s |= ϕ and T , s |= ψ; a

T , s |= EXa ϕ iff T , s |= ϕ for some s ∈ S with s −→ s . According to the definition of AXa , it follows that a

T , s |= AXa ϕ iff T , s |= ϕ for every s ∈ S with s −→ s . For example, the truth of formula AXa ⊥ ∧ AXb p ∧ ¬EXb p at state s3 of a transition system T can be derived with the graph of T in Fig. 2.2. The truth of formula p ∧ ¬q ∧ EXa (¬p ∧ ¬r) ∧ EXa (p ∧ r) ∧ AXa ¬q ∧ AXb ⊥ is derived at state s0 . 3

The semantics of ITSs deliver the possible world semantics of Kripke models for modal logic in computer science. For Kripke models, compare, for example, Hintikka (1962).

Computational Foundations of Temporal Logic

31

Fig. 2.3. Algorithm MCBML for model checking of BML formulae. Source: Demri et al. (2016, p. 117).

The semantic definitions of satisfiability, validity of a model, logical validity, and logical implication for BML formulae can be introduced with respect to the definition of |=. The logical problems of model checking and validity testing cannot always be reduced to each other at low computational costs. The algorithm MCBML (Fig. 2.3) solves the (local) model-checking problem in polynomial time. It is a straightforward implementation of the satisfaction relation |=. MCBML works as a procedure for the recursive top-down labeling of the states by subformulae with truth values. It can be proven that, for a given BML formula ϕ, a finite transition system T , and a state s in T , the algorithm MCBML returns the value true iff T , s |= ϕ. Furthermore, the satisfiability problem of BML is decidable. It can also be proven that any satisfiable BML formula is satisfied at the root of a finite tree-like ITS. 2.1.3.

Axiomatic system AxSysBML for BML

An axiomatic system AxSysBML for BML is given by the axioms of propositional logic (PL) extended by axiom (K) for basic AX and two rules of inference.

Temporal Logic: From Philosophy and Proof Theory

32

Axioms of AxSysBML : (PL) All axioms of PL (K) AXϕ ∧ AX(ϕ → ψ) → AXψ Rules of inference: ϕ, ϕ→ψ ψ ϕ AXϕ

(MP) Modus ponens: (Nec) Necessitation:

2.2.

Linear-Time Temporal Logic

Linear temporal logic (LTL) considers single computations in transition systems which are represented by linear models over infinite sequences of states.4 Thus, LTL does not only relate to local properties, such as BML. But LTL cannot express branching-time properties, such as computation tree logic (CTL), which will be studied in the following section. The language of LTL extends the classical PL with temporal modalities for future states in computations. They can be illustrated for current states ϕ in linear sequences of states. The temporal operator Xϕ states that the next state satisfies ϕ. For example, in a computer program, the formula alert → X halt expresses that after a current state of alert, the program should halt in the next state. The formula Fϕ states that ϕ will be true sometime in the future or at the current state. Gϕ means that all future states including the current state satisfy ϕ. Gϕ and ¬F¬ϕ  are equivalent. The binary time operator Until ( ) in the formula ϕ ψ expresses that ϕ will be true from now until ψ becomes true at some future state. 2.2.1.

Syntax of LTL

In the formal language of LTL, an LTL formula is inductively defined by ϕψ := p|⊥|¬ϕ|ϕ ∧ ϕ|X ϕ|F ϕ|Gϕ|ϕ with p ∈ PROP (set of propositions). 4

Gabbay et al. (1980); Pnuelli (1977).



ψ,

Computational Foundations of Temporal Logic

Fig. 2.4.

2.2.2.

33

Example of a LTL model.

Semantics of LTL

The models of LTL are infinite computations, which are illustrated as sequences of labels with atomic propositions, as shown in Fig. 2.4.5 Formally, a linear model of LTL is defined by σ : N → P(PROP). For a linear model σ, a position i ∈ N and a formula ϕ, the satisfaction relation |= can be defined inductively by σ, i |=; σ, i |= p σ, i |= ¬ϕ σ, i |= ϕ ∧ ψ σ, i |= Xϕ σ, i |= Fϕ σ, i |= Gϕ  σ, i |= ϕ ψ

iff iff iff iff iff iff iff

p ∈ σ(i); σ, i |= ϕ; σ, i |= ϕ and σ, i |= ψ; σ, i + 1 |= ϕ; there is j ≥ i such that σ, j |= ϕ; for all j ≥ i we have σ, j |= ϕ; there is j ≥ i such that σ, j |= ψ and σ, k |= ϕ for all k with i ≤ k < j.

Truth σ |= ϕ of an LTL formula ϕ in an LTL model σ is defined by σ, 0 |= ϕ.

2.2.3.

Decidability problems of LTL6

Satisfiability and validity are associated with decision problems.

5 6

Demri et al. (2016, p. 155). Demri et al. (2016, p. 159).

34

Temporal Logic: From Philosophy and Proof Theory

Satisfiability problem SAT(LTL) for LTL: Input: LTL formula ϕ Question: Is there any model σ with σ |= ϕ? Validity problem VAL(LTL) for LTL: Input: LTL formula ϕ Question: Is the case that |= ϕ? For checking the satisfiability of an LTL formula ϕ, one can try to find a small satisfiability witness. A brute force algorithm generates all sequences of subsets in the closure cl LT L (ϕ) of ϕ with a length of at most 2|ϕ| + |ϕ| · 2|ϕ| and checks whether one of them is a small satisfiability witness. This kind of algorithm is a decision procedure for LTL satisfiability with double exponential time of computation. Another procedure starts with a guess of a sequence with a length of at most 2|ϕ| + |ϕ| · 2|ϕ| for checking whether it is a small satisfiability witness. Figure 2.5 is a nondeterministic algorithm for checking whether a given LTL formula has a small satisfiability witness. The algorithm in Fig. 2.5 for satisfiability checking of LTL formulae is correct and needs a space which is polynomial in the size of the input formula. For example, for the LTL formula ϕ = GF p ∧ GF q und Γ := {ϕ, GFp, GFq, Fp, Fq}, the following sequence can be checked by the algorithm in Fig. 2.5 to be a small satisfiability witness with i = 2 and j = 4: Γ ∪ {¬p, ¬q}, Γ ∪ {¬p, q},

Γ ∪ {¬p, ¬q}, Γ ∪ {p, q},

Γ ∪ {p, ¬q},

Γ ∪ {¬p, ¬q},

Γ ∪ {p, ¬q}.

Until now, the temporal operators of LTL only refer to the future. They can be extended by the counterparts of the past. The “next” operator X has an analog in past time, which is called the “previous” operator Y (“yesterday”):  Yϕ states that the previous state satisfies ϕ. The “until” operator has an analog in past time, which is called the “since” operator S: The binary time operator S in the formula ϕSψ expresses that ψ is true at some past position, and since then, ϕ holds true.

Computational Foundations of Temporal Logic

Fig. 2.5. Algorithm for guessing a small satisfiability witness. Source: Demri et al. (2016, p. 170).

35

Temporal Logic: From Philosophy and Proof Theory

36

2.2.4.

Axiomatic system AxSysLTL for LTL7

An axiomatic system AxSysLTL for LTL is given by the axioms  of PL extended by axioms for the temporal operators X, G, and and three rules of inference, as follows. Axioms of AxSysLTL : (PL) (KX ) (SER) (FUNC) (PostFPG ) (GFPG ) (PreFP ) (LFP )

All axioms of PL X(ϕ → ψ) → (Xϕ → Xψ) X X¬ϕ ↔ ¬Xϕ Gϕ → (ϕ ∧ XGϕ) G(ψ → (ϕ ∧ Xψ))  → (ψ → Gϕ)  (ψ ∨ (ϕ ∧ X(ϕ ψ))) → (ϕ  ψ) G((ψ ∨ (ϕ ∧ Xχ) → χ) → ((ϕ ψ) → χ)

Rules of Inference in AxSysLTL : ϕ, ϕ→ψ ψ ϕ for X: Xϕ ϕ for G: Gϕ

(MP) Modus ponens: (NecX ) Necessitation (NecG ) Necessitation

The axiomatic system AxSysLTL is sound and complete because for every finite set of LTL formulae {ϕ1 , . . . , ϕn , ϕ}, it holds that ϕ1 , . . . , ϕn AxSysLTL ψ

if and only if ϕ1 , . . . , ϕn |= ψ.

Therefore, every set of LTL formulae is satisfiable if and only if it is consistent in AxSysLTL . Especially, AxSysLTL ψ if and only if ψ is a valid LTL formula (|= ψ). 2.3.

Computation Tree Logic

LTL is restricted to linear-time models with single computations of transition systems. In CTL, the potential of temporal operators is 7 LTL is a standard formalism to specify the behavior of computer systems for formal verification. Cf. Demri et al. (2016, Section 6.8).

Computational Foundations of Temporal Logic

37

combined with the ability to quantify over paths of computation, which leads to branching-time logic.8 Examples of combinations of temporal operators with path quantifiers have already been introduced. The existence (E) of a run such that the next position (X) satisfies p can be written as E X p and corresponds to modal operator EX in the BML. The statement that for all (A) runs, the next position (X) satisfies p can be written as A X p and corresponds to the modal operator AX. The existence (E) of a run such that a future position (F) satisfies p can be written as EFp. It means that  there is a reachable state which satisfies p. In the formula E(p q), at first,a run is existentially quantified (E) to witness the satisfaction of p q. The statement that for all runs (A) and for all positions, p holds true can be written as AGp. Thus, the combination AG can be understood as a temporal operator in branching-time logic consisting of a universal quantifier over paths and a universal quantifier over positions. 2.3.1.

Temporal logic of reachability a

In a transition system T = (S, {−→}a∈Act , L), the reflexive and trana ∗ a sitive closure s−→ t of the transition relation −→ means that there a a a exists a finite path s0 −→ s1 −→ · · · −→ sn with n ≥ 0, s = s0 , and a ∗ t = sn . Thus, −→ denotes the reachability relation for transitions of type a. The reachability relation can be associated with a reachability operator, resp. reachability modality, EFa , which means forward reachability in the future (F) along some computation with a. The temporal logic of reachability (TLR) is an extension of BML a with the reachability operators EFa for all transition relations −→ of transition system T .9 The syntax of TLR is inductively defined by ϕ := p|⊥|¬ϕ|(ϕ ∧ ϕ)|EXa ϕ|EFa ϕ with p ∈ PROP. As in BML, the dual of each modal operator can be defined by AXa ϕ := ¬EXa ¬ϕ, AGa ϕ := ¬EFa ¬ϕ. 8 9

Clarke and Emerson (1981), Emerson (1990). Ben-Ari et al. (1981).

38

Temporal Logic: From Philosophy and Proof Theory

Fig. 2.6. ϕ is true at every reachable state (AGϕ ). Source: Demri et al. (2016, Fig. 7.2).

The formulae of TLR are interpreted over rooted transition systems. The satisfaction relation |= is defined by the conditions of BML extended by the case ∗

a

T , s |= EFa ϕ if and only if T , s |= ϕ for some r ∈ S with s−→ r. Intuitively, EFa ϕ is true at the state s if ϕ is true at some state r a reachable from s along the transition relation −→. According to the definition AGa , it follows that a

∗

T , s |= AGa ϕ if and only if T , s |= ϕ for all r ∈ S with s−→ r. Figure 2.6 illustrates that AGa ϕ is true at the state s if ϕ is true at a every state r reachable from s along the transition relation −→ of a transition system. In BML, the satisfiability of TLR is decidable. An axiomatic system AxSysTLR for the set of valid formulae of TLR extends AxSysBML with an axiom to guarantee the seriality of the transition relation and axioms for the operator AG.10

10

Demri et al. (2016, p. 253).

Computational Foundations of Temporal Logic

39

Fig. 2.7. Illustration of AFϕ. Source: Demri et al. (2016, Fig. 7.3).

Axioms of AxSysTLR : (BML) (KAX ) (SER) (PostFPAG ) (GFPAG )

All axioms of BML logic AxSysBML AX(ϕ → ψ) → (AXϕ → AXψ) EX AGϕ → (ϕ ∧ AXAGϕ) AG(ψ → (ϕ ∧ AXψ)) → (ψ → AGϕ)

Rules of Inference in AxSysLTL : ϕ, ϕ→ψ ψ for AX: ϕ AXϕ for AG: ϕ AGϕ

(MP) Modus ponens: (NecX ) Necessitation (NecG ) Necessitation

According to PostFPAG , AGϕ is a post-fixpoint of the operator ΓAG with ΓAG (ϑ) = ϕ∧AXϑ. GFPAG means that AGϕ is the greatest post-fixpoint of the operator ΓAG . 2.3.2.

Computation tree logic

TLR only claims reachability on some computations. CTL is an extension of TLR which refers to all computations starting from the current state, which is considered by the operator AF. Figure 2.7 illustrates AFϕ with an example.

40

Temporal Logic: From Philosophy and Proof Theory

 Fig. 2.8. Illustration of A(ϕ ψ). Source: Demri et al. (2016, Fig. 7.3).

The CTL is an extension of BML with modal operators for existential and universal reachability. They combine the existential, resp. universal, path quantifier with the Until operator. The syntax of CTL is inductively defined by          ϕ := p|⊥|¬ϕ|(ϕ∧ϕ)|EXϕ E ϕ ϕ  A ϕ ϕ

with p ∈ PROP.

  In A(ϕ ψ), the Until property ( ) is combined with universal path quantification (A). In this case, ψ must eventually hold for all paths, and ϕ holds at every moment before that on all these paths (Fig. 2.8). In CTL, the existential  reachability operator of TLR can be defined as EFϕ:= E( ϕ). The universal reachability operator is AFϕ := A( ϕ). The dual EGϕ := ¬AF¬ϕ states the existence of a computation in which ϕ holds at every moment. Furthermore, AGϕ := ¬EF¬ϕ. The satisfaction relation |= is defined by the conditions of TLR extended by the following cases:  T , s |= E(ϕ1 ϕ2 ) iff there is a path π which starts at s and i ≥ 0 such that π(0) = s, T , π(i) |= ϕ2 , and for every j ∈ [0, i − 1] it is T , π(j) |= ϕ1 .  T , s |= A(ϕ1 ϕ2 ) iff for all paths π such that π(0) = s, there is i ≥ 0 such that T , π(i) |= ϕ2 , and for every j ∈ [0, i − 1], it is T , π(j) |= ϕ1 .

Computational Foundations of Temporal Logic

41

The set of valid formulae of CTL is axiomatized by AxSysCTL .11 (BML) (KAX ) (SER) (PreFPE  ) (PreFPA  ) (LFPE  ) (LFP )

2.4.

All axioms of BML logic AxSysBML AX(ϕ → ψ) → (AXϕ → AXψ) EX   (ψ ∨ (ϕ ∧ EXE(ϕ  ψ))) → E(ϕ ψ) (ψ ∨ (ϕ ∧ AXA(ϕ ψ))) → A(ϕ  ψ) AG((ψ ∨ (ϕ ∧ EXχ) → χ) → (E(ϕ  ψ) → χ) AG((ψ ∨ (ϕ ∧ AXχ) → χ) → (A(ϕ ψ) → χ)

Full Computation Tree Logic

 In TRL and CTL, certain temporal operators, such as X and , were already combined with path quantifiers. In full computation tree logic (CTL*), the definitions of LTL and CTL include state formulae related to states and path formulae related to computations of an ITS. In this sense, CTL* comprises the full branching logic.12 2.4.1.

Syntax of CTL*

In the syntax of CTL*, state formulae ϕ and path formulae ϑ are defined in mutual recursion by ϕ := ⊥|p|¬ϕ|ϕ ∧ ϕ|Aϑ with p ∈ PROP,  ϑ := ϕ|¬ϑ|ϑ ∧ ϑ|Xϑ|ϑ ϑ. The existential path quantifier is defined by Eϕ := ¬A¬ϕ. 2.4.2.

Semantics of CTL*

The semantics of CTL* relates to a transition system T with a satisfaction relation |=s of state formulae and a satisfaction relation |=p 11 12

Demri et al. (2016, p. 255). Emerson and Halpern (1983); Demri et al. (2016, pp. 2017–2018, 258).

Temporal Logic: From Philosophy and Proof Theory

42

of path formulae: T , ss |= ⊥; T , s |=s p T , s |=s ¬ϕ T , s |=s ϕ ∧ ψ T , s |=s Eϑ

iff iff iff iff

T , s |=s Aϑ

iff

T ,π T ,π T ,π T ,π T ,π

|=p |=p |=p |=p |=p

ϕ ¬ϑ ϑ ∧ ϑ Xϑ  ϑ ϑ

iff iff iff iff iff

p ∈ L(s); T , ss |= ϕ; T , s |=s ϕ and T , s |=s ψ; there is a path π starting at s such that T , π |=s ϑ; for all paths π starting at s, it holds that T , π |=s ϑ; T , π(0) |=s ϕ for state formulae ϕ; T , πs |= ϑ; T , π |=p ϑ and T , π |=p ϑ ; T , π[1, +∞] |=p ϑ; there is i ≥ 0 such that T , π[i, +∞] |=p ϑ and for every j ∈ [0, i − 1], it is T , π[j, +∞] |=p ϑ

Since every state formula of CTL* is also a path formula, it is usual to merge the two sorts and assume that all CTL* formulae are path formulae. The semantics of CTL* can be restricted to tree-like transition systems. A uniformly branching tree has an equal number of branches at every node. For a given number k, a k-branching tree is a uniformly branching tree with exactly k branches at every node. It can be proven that every satisfiable state formula ϕ (in negation normal form) of CTL* is satisfiable in a k-branching tree, with k ≤ m + 1, with m number of existential path quantifiers occurring in ϕ. Whereas model checking for CTL and TLR can be done in polynomial time, we need exponential time for CTL*. A practical application of model checking in CTL and CTL* is program verification in computer science. Program verification is important to prevent critical states and to guarantee safety. 2.4.3.

Axiomatic system AxSysCTL∗ for CTL∗

The axioms of AxSysCTL∗ for the full branching logic CTL* includes the axioms of AxSysLTL for path formulae, axioms for the path quantifiers, and an axiom for the interaction of A and X.

Computational Foundations of Temporal Logic

43

Axioms of AxSysCTL∗ : All axioms of AxSysLTL A(ϕ → ψ) → (Aϕ → Aψ) Aϕ → AAϕ Aϕ → ϕ Aϕ → AEϕ p → Ap, for each atomic proposition p AXϕ → XAϕ Rules of Inference in AxSysLTL : ϕ, ϕ→ψ ψ for AX: ϕ AXϕ for AG: ϕ AGϕ ϕ for A: Aϕ

(MP) Modus ponens: (NecAX ) Necessitation (NecAG ) Necessitation (NecA ) Necessitation

The axiomatic system AxSysCTL∗ is sound and complete with respect to the class of all (generalized) branching structures.13

2.4.4.

Ockhamist CTL*

LTL was extended by past-time operators which do not change the class of models. In a branching time, several aspects must be considered for representing the past. With respect to Ockham’s philosophy of time (compare Sections 1.1 and 1.2), a tree-like representation with a finite and linear past, but infinite and possibly branching (“open”), future is assumed. Figure 2.9 is an illustration of the Ockhamist philosophy of time in the framework of extended CTL*.14

13 14

Reynolds (2001). Prior (1967) and Demri et al. (2016, p. 250).

44

Temporal Logic: From Philosophy and Proof Theory

Fig. 2.9.

A path in Ockhamist CTL*.

The extension of CTL* with this kind of Ockhamist past needs an extended syntax with past operators Y and S:    ϕ := p|⊥|¬ϕ| (ϕ ∧ ϕ) |Xϕ| ϕ ψ |Eϕ|Aϕ|Yϕ|(ϕSψ) with p ∈ PROP. In the semantics of the past-extended CTL*, the truth of formulae is evaluated for a path and a position along the path: T , π, i |= p T , π, i |= ¬ϕ T , π, i |= ϕ ∧ ψ T , π, i |= Eϕ

iff iff iff iff

T , π, i |= Xϕ  T , π, i |= ϕ ψ

iff iff

T , π, i |= Yϕ T , π, i |= ϕSψ

iff iff

p ∈ L(π(i)); T , π, i |= ϕ; T , π, i |= ϕ and T , π, i |= ψ; there is a path T , π  such that T , π[0, i] = π  [0, i] and T , π  , i |= ϕ; T , π, i + 1 |= ϕ; there is j ≥ i such that T , π, j |= ψ, and for every k ∈ [i, j − 1], it is T , π, k |= ϕ; i > 0 and T , π, i − 1 |= ϕ; there is j ≤ i such that T , π, j |= ψ, and for every k ∈ [j − 1, i], it is T , π, k |= ϕ.

Chapter 3

Proof-Theoretical Foundations of Temporal Logic

In the age of digitalization and Big Data, security and trust in information flow and computational systems have become urgent demands of technology and societal acceptance. Therefore, specification and verification, model-checking, and satisfiability testing of hardware and software are great challenges in computer science. Temporal logic plays a substantial role in model-checking and verification technology. But users in the digital world are often less aware that verification, model-checking, and satisfiability are deeply rooted in the logical foundations of proof theory. In this chapter, we continue with early studies on the philosophical and proof-theoretical foundations of computer science with respect to temporal logic.1 The first proof systems for temporal logic were developed with Hilbert-style axiomatic calculi. In this case, proof systems are constituted with several axioms and rules of inference (compare Chapter 2). But axiomatic systems of this style are only useful for formalization of what has already been proved. They are not appropriate for the search of proofs which are demanded for verification problems in computer science. For proof searching, we need guidance by the propositions and theorems to be proved, which is missing in Hilbert-style systems.

1

Mainzer et al. (2018, 2022). 45

46

Temporal Logic: From Philosophy and Proof Theory

Here, Gentzen-type systems come in. In the beginning of the 1930s, Gerhard Gentzen introduced a sequent calculus which overcomes the lack of guidance of Hilbert-style systems by a special notation. At any step of derivation, the antecedent of a sequent shows the open assumptions on which the formulas in the consequent depend. If the proof search is terminating, then the decision problems in formal systems can be solved. In the following, we start the proof analysis in temporal logic with the Gentzen sequent calculus, which is the historical “mother” of several related proof-theoretical systems, such as tableaux-based, automata-based, and game-based calculi. They have different advantages for the formal verification of efficient algorithmic methods solving verification problems. In these cases, the decision problems for temporal logic can be reduced to decision problems about tableaux, automata, and games, respectively. For example, typical challenges are problems checking whether an automaton accepts a certain computation or whether it recognizes a certain language.

3.1.

Gentzen Calculus and Temporal Logic

The proof-theoretic treatment of temporal logics (indeed, of many other families of nonclassical logics as well) within Gentzen’s original framework that was tailored for classical logic (and adaptable to intuitionistic logic) is notoriously difficult. Since the 1980s, a lot of hard work and ingenuity has been and still is being devoted to capture these logics with adequate, well-behaved “sequent-style” calculi. As far as temporal logic systems are concerned, difficulties are more challenging than those encountered in plain modal logic systems already at the level of the minimal system TL: This is due to the intertwining of the two -like operators H and G (and the two associated ♦-like operators P and F) of TL, as is evident from the two characteristic tautologies ϕ → GPϕ and ϕ → HFϕ of this logic. In the following, after two preliminary sections in which we explain what a sequent-style calculus is and which properties are requested to make a sequent-style calculus into a “good” one, we illustrate a selected number of interesting contributions concerning the proof-theoretic, Gentzen-type approach to TL, LTL, and CTL and discuss some problems as well.

Proof-Theoretical Foundations of Temporal Logic

3.1.1.

47

Gentzen’s calculus for classical propositional logic in a nutshell

To answer the question “What is a sequent-style (or Gentzen-type) calculus?” it is convenient to start by recalling the basics of Gentzen’s original sequent calculus LK for classical predicate logic, introduced in 1935.2 For the sake of simplicity, we confine to LK’s propositional fragment LKp (primitive logical operators: ¬, ∨, ∧, and →) since the temporal logics we are considering here are extensions of classical propositional logic and do not feature individual quantification. A sequent, according to Gentzen’s original definition, is a syntactic object of the form Γ ⇒ Δ, where Γ (the antecedent of the sequent) and Δ (the consequent) are two finite, possibly empty lists, say ϕ1 , . . . ϕn and ψ1 , . . . ψm (n, m ≥ 0), of not necessarily distinct formulae. According to Gentzen, the intended meaning Γ⇒Δ  of a sequent  is represented by the conditional formula Γ → Δ, whose antecedent is the conjunction of the formulae in Γ (an arbitrarily fixed tautology  if Γ is empty) and whose consequent is the disjunction of the formulae in Δ (an arbitrarily fixed contradiction ⊥ if Δ is empty). Thus, from a classical-semantics point of view, a sequent is true if, whenever all formulae in its antecedent are true, at least one formula in its consequent is also true. Note that the list-forming comma “,” acts therefore as a “structural” logical operator having a “positional meaning,” namely a conjunctive one in the antecedent and a disjunctive one in the consequent. The calculus LKp features axioms (the so-called “initial sequents”) ϕ⇒ϕ and (one- or two-premise) inference rules. The latter are divided into “structural” and “logical” rules. 2

Gentzen (1935, pp. 176–210).

48

Temporal Logic: From Philosophy and Proof Theory

The structural rules, Exchange (E), Weakening (W), Contraction (C), and the “cut rule” (cut), do not deal with any specific logical operator. E, W, C come in pairs and produce structural modifications in the antecedent or in the consequent of a sequent; the cut rule represents instead a generalized form of the modus ponens or of the transitivity rule for the conditional: Γ⇒Δ ϕ, Γ ⇒ Δ

Γ⇒Δ Γ ⇒ Δ, ϕ

Wl ,

Wr ,

Γ1 , ϕ, ψ, Γ2 ⇒ Δ Γ1 , ψ, ϕ, Γ2 ⇒ Δ

El ,

Γ ⇒ Δ1 , ϕ, ψ, Δ2 Γ ⇒ Δ1 , ψ, ϕ, Δ2

ϕ, ϕ, Γ ⇒ Δ ϕ, Γ ⇒ Δ

Cl ,

Γ ⇒ Δ, ϕ, ϕ Γ ⇒ Δ, ϕ

Γ ⇒ Δ, ϕ ϕ, Π ⇒ Σ Γ, Π ⇒ Δ, Σ

Er ,

Cr ,

cut.

The logical rules, in turn, come in pairs for each logical operator ∗ (here, one of ¬, ∨, ∧, →) and introduce in the antecedent (∗l ), resp. in the consequent (∗r ), of the conclusion, a complex formula whose main operator is ∗: ¬l ,

ϕ, Γ ⇒ Δ Γ ⇒ Δ, ¬ϕ

∧l (i=1,2),

Γ ⇒ Δ, ϕ Γ ⇒ Δ, ψ Γ ⇒ Δ, ϕ ∧ ψ

Γ ⇒ Δ, ϕ ¬ϕ, Γ ⇒ Δ ϕi , Γ ⇒ Δ ϕ1 ∧ ϕ2 , Γ ⇒ Δ

ϕ, Γ ⇒ Δ ψ, Γ ⇒ Δ ϕ ∨ ψ, Γ ⇒ Δ

Γ ⇒ Δ, ϕi Γ ⇒ Δ, ϕ1 ∨ ϕ2

∨l ,

Γ ⇒ Δ, ϕ ψ, Π ⇒ Σ ϕ → ψ, Γ, Π ⇒ Δ, Σ

→l ,

.

¬r ,

∧r ,

∨r (i=1,2),

ϕ, Γ ⇒ Δ, ψ Γ ⇒ Δ, ϕ → ψ

→r .

The formula which is displayed in the conclusion of a rule is called the “principal formula,” while its subformula (or subformulae) which is displayed in the premise(s) is called the “secondary formula (or formulae).” The lists Γ, Δ, . . . contain the “context formulae.” It is crucial to note that all the structural and logical rules, with the sole exception of the cut rule, are such that any formula occurring

Proof-Theoretical Foundations of Temporal Logic

49

in the premise(s) also occurs as a (proper or improper) subformula of a formula in the conclusion — intuitively, no “piece of information” (formula) is lost in the top-to-bottom direction. On the contrary, the cut rule is not, in such a sense, “analytic”: the displayed formula ϕ occurring in both premises, the so called “cut formula,” may not appear in the conclusion and so is generally lost in the top-to-bottom direction. A formal derivation D in LKp of a sequent Γ ⇒ Δ is a finite tree of sequents which is locally correct with respect to the axioms (so each leaf node is an axiom) and the inference rules and has the sequent Γ ⇒ Δ as “end-sequent,” i.e., at the root. A “cut-free derivation,” i.e., one in which there are no applications of the cut rule, thus satisfies the fundamental “Subformula property”: Any formula occurring somewhere in the derivation is a subformula of a formula occurring in the end-sequent of the derivation.

LKp turns out to be valid and complete for classical propositional logic. Indeed, given an axiomatic, Hilbert-style calculus C, which is known to be classically valid and complete, it is an easy exercise to prove that if a sequent  Γ ⇒Δ is LKp -derivable, then its associated conditional formula Γ → Δ is C-provable and, conversely, that if a formula ϕ is C-provable, then the sequent ⇒ ϕ is LKp -derivable. Gentzen’s fundamental result (for the whole LK, here for LKp ), known as the “Hauptsatz” or “cut-elimination theorem,” says that the cut rule is redundant; more precisely, Gentzen’s purely syntactic proof of this result shows that any LKp -derivation D can be effectively transformed (through a finite number of rewriting steps) into a cut-free derivation D ∗ of the same end-sequent of D. The calculus is thus fully analytic and allows systematic root-first, bottom-up proof-searching. There are many provably equivalent variants of Gentzen’s original LKp . In the “multisets variant,” the antecedent and the consequent of a sequent are taken to be finite multisets, and not lists, of formulae to the effect that the structural exchange rules can be trivially dispensed with. One may combine this variant with the one in which all the sequents of the form ϕ, Γ ⇒ Δ, ϕ (generalized initial

50

Temporal Logic: From Philosophy and Proof Theory

sequents) are taken as initial sequents to the effect that (also) the structural weakening rules can be dropped while still being provably admissible.3 The most interesting among the multisets variants (which we need in the following, when considering the labeled calculi for TL) is the sequent calculus G3cp , inspired by the contributions of Ketonen and Dragalin,4 in which there are no structural rules except the cut rule. G3cp results from the multiset variant of LKp by modifying it as follows: • the structural rules Weakening and Contraction are dropped (and Exchange, of course), so only the cut rule is retained; • the axioms are taken in the generalized form ϕ, Γ ⇒ Δ, ϕ, with the additional restriction that ϕ is an atomic formula (including , ⊥); • the two-premises logical rule →l , which in LKp is formulated in the so-called “multiplicative” (context-free) version, is replaced by the corresponding “additive” (context-sharing) version (such as ∧r , ∨l in LKp ): Γ ⇒ Δ, ϕ ψ, Γ ⇒ Δ ϕ → ψ, Γ ⇒ Δ

→l ;

• the two twin rules ∧l (i = 1, 2) as well as the two twin rules ∨l (i = 1, 2) are replaced by the two corresponding multiplicative rules (such as →r in LKp ): ϕ, ψ, Γ ⇒ Δ ϕ ∧ ψ, Γ ⇒ Δ

∧l ,

Γ ⇒ Δ, ϕ, ψ Γ ⇒ Δ, ϕ ∨ ψ

∨r .

One can easily prove the equivalence of LKp and G3cp . Most importantly, one can (less easily) prove that the rules of weakening and contraction are cut-free admissible and that all the logical rules are invertible (with the preservation of the height of derivations and without making use of cut) and, finally, that also G3cp admits syntactic cut elimination. The additional key property of G3cp , i.e., the 3 Some authors also use to define sequents as being of the form Γ ⇒ Δ with Γ, Δ finite, possibly empty sets of formulae. In this way, the contraction rule is trivialized, being hidden in the syntactic notion of a sequent. There are, however, some drawbacks with this variant, which suggest not to adopt it. 4 Ketonen (1944), Dragalin (1979). See also Troelstra and Schwichtenberg (2000).

Proof-Theoretical Foundations of Temporal Logic

51

absence of the contraction rule (contraction, so to speak, is hidden in the logical rules by the clever choice and mixture of additive and multiplicative formulations), represents, from the point of view of the efficiency of proof-searching, the great advantage of G3cp over LKp . One last variant, which is worth recalling here (also for future use), is often referred to as the “Tait-style” variant.5 It features “one-sided sequents,” which are just finite, possibly empty multisets Γ of formulae, to be intuitively interpreted by the corresponding disjunctive formula Γ. Thus, the standard Gentzen sequent Γ ⇒ Δ corresponds to the one-sided sequent ¬Γ, Δ (where ¬Γ := {¬ϕ | ϕ ∈ Γ}). This variant fits well only with classical logic and extensions thereof and benefits from the adoption of a propositional language featuring literals (countably many positive and negative propositional variables p0 , p1 , . . ., resp. p0 , p1 , . . .) and, as primitive boolean connectives, only the conjunction and the disjunction. The negation ¬ϕ of a formula ϕ is inductively defined via the double negation and De Morgan laws (¬pi := pi , ¬pi := pi , ¬(ϕ ∨ ψ) := ¬ϕ ∧ ¬ψ, ¬(ϕ ∧ ψ) := ¬ϕ ∨ ¬ψ), while the remaining connectives are defined as usual. The advantage is a substantial economy in the formulation of the calculus. For instance, the Tait version of LKp is defined as follows: Axioms (initial sequents):

p, p.

Structural rules: Γ Γ, Δ

Γ, ϕ, ϕ Γ, ϕ

C,

Γ, ϕ Γ, ψ Γ, ϕ ∧ ψ

∧,

W,

Γ, ϕ

¬ϕ, Γ Γ

cut.

Logical rules: Γ, ϕ, ψ Γ, ϕ ∨ ψ

∨.

5 Tait (1968). Note that William Tait uses sets of formulae instead of multisets of formulae.

52

3.1.2.

Temporal Logic: From Philosophy and Proof Theory

What is a (good) sequent-style calculus?

With a few exceptions (notably, intuitionistic logic6 ), most nonclassical logics and families thereof — be they alternatives to classical logic, such as relevant logics, many-valued logics, intermediate logics, or extensions of classical logic, such as modal (, ♦) logics and temporal logics — do not fit well, from the proof-theoretic point of view, in Gentzen’s original framework as characterized, in particular, by the adhesion to “standard” sequents Γ ⇒ Δ, possibly with inessential variations (such as one-sided sequents) or restrictions (such as intuitionistic sequents) and to the coming in pairs (introduction in the antecedent and in the consequent) of logical rules. In some cases, one may easily devise ad hoc Gentzen-style inference rules in order to capture this or that nonclassical logic, but the crucial problem is that these rules may not obey the subformula property or that the resulting calculus may not admit cut elimination. Just to give an example, consider the minimal normal modal logic K (with  as primitive modal operator and ♦ϕ defined as ¬¬ϕ).7 By adding to G3cp , the inference rule Γ⇒ϕ , Γ ⇒ ϕ, Δ one obtains the sequent calculus GK, which turns out to be adequate for K. The above rule does not respect the pattern of Gentzen’s logical rules (introduction in the antecedent or introduction in the consequent), yet GK is proof-theoretically well behaved, that is, it enjoys 6

A sequent calculus for intuitionistic logic, named LJ, was introduced by Gentzen (1935) through a rather simple modification of LK, consisting of the restriction to sequents Γ ⇒ Δ, where Δ contains at most one formula. LJ enjoys (syntactic) cut elimination, which entails the decidability of its propositional fragment LJp . Sequent calculi for propositional intuitionistic logic that are more efficient than Gentzen’s LJp from the point of view of proof-searching have been later devised and investigated. 7 K is axiomatized by adding to an axiomatic calculus for classical propositional logic the axiom schema (ϕ → ψ) → (ϕ → ψ) and the necessitation rule ϕ . ϕ

Proof-Theoretical Foundations of Temporal Logic

53

all the desirable properties: (syntactic) cut elimination and the subformula property. On the other hand, for many well-known extensions of K, among which is S5 (K + (ϕ → ϕ) + (ϕ → ϕ) + (ϕ → ♦ϕ)), there is no (and, in a precise sense, there cannot be any) adequate, more or less conventional sequent calculus.8 In his 2002 survey on the proof-theory of modal logics,9 Wansing concluded that “no uniform way of presenting only the most important normal modal and temporal propositional logics as ordinary Gentzen calculi is known” and that, in any case, “the standard approach fails to be modular: in general it is not the case that a single axiom schema is captured by a single sequent rule (or a finite set of such rules)”— and we can say that this verdict also applies to other families of nonclassical logics. Since the end of the 1980s, the proof-theoretical investigation of nonclassical logics has gradually led to the introduction of a variety of “nonconventional” Gentzen-type calculi or sequent-style calculi. The key point is the replacement of Gentzen’s standard sequents with other kinds of related syntactic objects, which we may subsume under the category of “nonconventional sequents,” such as the sequents adopted in “display” sequent calculi10 (which feature, further to Gentzen’s comma, a number of additional structural operators), the “hypersequents” (of the form Γ1 ⇒ Δ1 | Γ2 ⇒ Δ2 | · · · | Γn ⇒ Δn : finite lists, or sets, or multisets of conventional sequents),11 the “nested” sequents12 (see also the following section) and the “treehypersequents”13 or the “labeled” sequents of Negri’s labeled sequent calculi approach,14 just to mention a few — see Wansing’s 2002 chapter for a detailed survey.

8

See Takano (2018). Wansing (2002). 10 Belnap (1982). 11 Avron (1991), Cf. also Avron (1996). 12 Br¨ unnler (2006). See also Br¨ unnler and Strassburger (2009) and Gor´e et al. (2009). 13 Poggiolesi (2011). 14 Negri (2005). 9

54

Temporal Logic: From Philosophy and Proof Theory

This deviation from Gentzen’s original format does not qualify a sequent-style calculus for a certain logic L as a “good” one. Typically, two major requirements have to be met, namely: • the subformula property, and • the cut-elimination theorem (better if is proved in a purely syntactical way), which together pave the way to (more or less efficient) proof-searching algorithms. In certain cases, restricted exceptions to the subformula property or deviations from full cut elimination (the so-called “analytic cut elimination”) may be tolerated. In view of what we will see in the following section, we conclude with a concise presentation of the labeled sequent calculi approach developed by Negri, which has been applied successfully to modal and temporal logics and, in general, to (families of) logics which are semantically characterized by a Kripke-style, relational semantics. In the nested sequents and the tree-hypersequents approaches, notions of the relational semantics underlying a given logic are implicitly internalized in the syntax (basically, the deep sequents and treehypersequents hide in a linear notation a tree-like structure whose nodes are standard sequents). The labeled sequent calculi approach is instead characterized by an explicit internalization of relational semantic notions within the syntax. Let us consider, by way of exemplification, the labeled, Gentzen-style calculus for the minimal normal modal logic K. Besides the usual modal formulae (here, for convenience, a propositional language with ⊥, ∧, →, , ♦ as primitive logical operators is adopted), one needs variables v0 , v1 , . . . and a binary predicate letter R (the former, intuitively, ranging over the worlds or states of an unspecified Kripke model and the latter denoting its accessibility relation). A relational atom has the form xRy, where x, y are variables. A labeled formula has the form x : ϕ, where x is a variable and ϕ is a formula (intuitive reading: ϕ is true at x). Finally, a labeled sequent has the standard form Γ ⇒ Δ but now Γ, Δ are finite multisets of labeled formulae and relational atoms.

Proof-Theoretical Foundations of Temporal Logic

55

The labeled calculus G3lab K is defined as follows. Axioms (initial sequents): x : p, Γ ⇒ Δ, x : p,

xRy, Γ ⇒ Δ, xRy,

x : ⊥, Γ ⇒ Δ;

Structural rule: Γ ⇒ Δ, x : ϕ x : ϕ, Π ⇒ Σ Γ, Π ⇒ Δ, Σ

cut;

Propositional logical rules: x : ϕ, x : ψ, Γ ⇒ Δ x : ϕ ∧ ψ, Γ ⇒ Δ

Γ ⇒ Δ, x : ϕ Γ ⇒ Δ, x : ψ Γ ⇒ Δ, x : ϕ ∧ ψ

∧l ,

Γ ⇒ Δ, x : ϕ x : ψ, Γ ⇒ Δ x : ϕ → ψ, Γ ⇒ Δ

→l ,

∧r ,

x : ϕ, Γ ⇒ Δ, x : ψ Γ ⇒ Δ, x : ϕ → ψ

→r ;

Modal logical rules: y : ϕ, x : ϕ, xRy, Γ ⇒ Δ x : ϕ, xRy, Γ ⇒ Δ xRy, y : ϕ, Γ ⇒ Δ x : ♦ϕ, Γ ⇒ Δ

♦l (!!y),

l ,

xRy, Γ ⇒ Δ, y : ϕ Γ ⇒ Δ, x : ϕ

r (!!y),

xRy, Γ ⇒ Δ, x : ♦ϕ, y : ϕ xRy, Γ ⇒ Δ, x : ♦ϕ

♦r ,

with a proviso in the rules marked with (!!y): The variable y must not occur in the conclusion. The axioms and the propositional logic rules need no special comments, considering that the semantics of the Boolean operators is local: They are just the corresponding axioms and rules of G3cp , with the principal and secondary formula (or formulae) decorated with one and the same label. The modal rules, which come in pairs and so fully respect Gentzen’s pattern, are also natural since they can be easily justified by looking at the clauses: M, x  ϕ if and only if M, y  ϕ for all y such that xRy, M, x  ♦ϕ if and only if M, y  ϕ for some y such that xRy,

56

Temporal Logic: From Philosophy and Proof Theory

defining the truth of a formula ϕ or ♦ϕ at a world x in a model M.15 G3lab K captures the modal system K (for all formulae ϕ: ϕ is a K-tautology iff the sequent ⇒ x : ϕ is derivable in G3lab K) and is indeed a good sequent-style calculus: It respects the (suitably reformulated) subformula principle and admits syntactical cut elimination. What is more important, G3lab K is the basic labeled modal calculus from which labeled sequent-style calculi for all the normal modal systems M, extending the minimal one K, can be modularly obtained, provided their corresponding frame condition in Kripke’s semantics is expressible by universal formulae or geometric implications.16 For such M’s, the frame condition can be captured by suitable sequent-style so-called “mathematical rules” which, added to G3lab K, give rise to a labeled sequent-style calculus G3lab M that is adequate for M and still enjoys the subformula property and cut elimination. Just to give one example, the following mathematical rules xRx, Γ ⇒ Δ Γ⇒Δ xRy, yRx, Γ ⇒ Δ xRy, Γ ⇒ Δ

Ref,

Sym,

xRy, Γ ⇒ Δ Γ⇒Δ

Ser(y!!),

xRz, xRy, yRz, Γ ⇒ Δ xRy, yRz, Γ ⇒ Δ

Trs

15 The soundness of the rules (l ) and (r ), and analogously that of (♦l , ♦r ), is proved as follows. Suppose the conclusion x : ϕ, xRy, Γ ⇒ Δ of (l ) is false in a Kripke model M. Then, for the worlds x, y satisfying xRy, one has that x  ϕ — so, by the semantics of , y  ϕ — and also that each formula in Γ is true at some world (not necessarily the same), while each formula in Δ is false at some world (not necessarily the same). Hence, the premise y : ϕ, x : ϕ, xRy, Γ ⇒ Δ of the rule is false in that Kripke model. Next, suppose the conclusion Γ ⇒ Δ, x : ϕ of (r ) is false in a Kripke model M. Then, each formula in Γ is true in some world (not necessarily the same), while each formula in Δ is false in some world (not necessarily the same), and ϕ is false in the world x. This implies that there must be a world accessible from x, in which ϕ is false. We are not entitled to make additional assumptions on this world, so we pick one such y not occurring in the conclusion. Hence, the premise xRy, Γ ⇒ Δ, y : ϕ of the rule is false in that Kripke model. 16 A universal formula is a closed formula of the form ∀x1 . . . ∀xn A, where A is quantifier-free. A geometric implication is a formula of the form ∀x1 . . . ∀xn (A → B), where A and B are →- and ∀-free.

Proof-Theoretical Foundations of Temporal Logic

57

correspond, respectively, to the frame conditions of reflexivity, seriality, symmetry, and transitivity. Thus, for example, the labeled calculus G3lab S5 defined as G3lab K+{(Ref), (Sym), (Trs)} provides a good sequent-style calculus for the modal system S5. 3.1.3.

Sequent-style calculi for TL

To the best of our knowledge, the first systematic attempt to devise a sequent calculus for Prior’s basic system TL of temporal logic is due to Nishimura in 1980.17 The calculus GKt he introduces works with standard, set-based, sequents, thus the only structural rules are Weakening and the cut rule. The logical rules for the Boolean operators (primitive connectives: negation and conditional) are those of LKp . The logical rules for the primitive temporal operators H and G (P and F are taken as defined) are two right-introduction rules, not accompanied by corresponding left-introduction rules18 : Γ ⇒ HΔ, ϕ GΓ ⇒ Δ, Gϕ

Gr ,

Γ ⇒ GΔ, ϕ HΓ ⇒ Δ, Hϕ

Hr .

One can easily see that these rules are sound with respect to the Kripke semantics for TL, i.e., they preserve truth in an arbitrary model. Suppose indeed that the conclusion of [Gr ] is false in a TLmodel M. Then, there is an instant i in M at which all formulae in GΓ are true and all formulae in Δ ∪ {Gϕ} are false. By i  Gϕ, it follows that j  ϕ for some j > i. But then also, all formulae in HΔ are false at j, whereas all formulae in Γ are true at j. Hence the premise of [Gr ] being false in M. The soundness of [Hr ] is verified analogously. Thus, GKt is sound with respect to TL-validity. Nishimura proves that it is also complete and so equivalent to the axiomatic characterization of TL. GKt is not, however, a good sequent calculus for TL. First, both the rules [Gr ] and [Hr ] patently violate the subformula principle. Next, the cut rule cannot be eliminated. For example, it is not difficult to realize that the characteristic TL-tautology ϕ → G¬H¬ϕ 17 18

Nishimura (1980). GΓ is an abbreviation for {Gϕ | ϕ ∈ Γ} and, analogously, HΓ.

58

Temporal Logic: From Philosophy and Proof Theory

(i.e., ϕ → GPϕ) cannot be derived in GKt without the application of the cut rule. By suitably modifying the rules [Gr ] and [Hr ], Nishimura also provides a Gentzen-style formulation GK4t for TL + Transitivity that shares, however, all the negative aspects of GKt . To conclude, it is perhaps interesting to recall that Nishimura also introduced in the same paper a second sequent calculus GHKt provably sound and complete with respect to TL-validity. It is based on nonconventional sequents (a kind of forerunners of hypersequents) of the form Γ1 ; Γ2 ; Γ3 ⇒ Δ 1 ; Δ 2 ; Δ 3 (the Γ’s and Δ’s are finite sets of formulae; the “;” is a new structural operator), intuitively corresponding to the standard sequent HΓ1 , Γ2 , GΓ3 ⇒ HΔ1 , Δ2 , GΔ3 and so having the intended meaning of the temporal formula       Γ2 ∧ GΓ3 → HΔ1 ∨ Δ2 ∨ GΔ3 . HΓ1 ∧ Unlike GKt , all the rules of GHKt now respect the subformula principle. But unfortunately, the cut rule cannot be dispensed with, as in GKt . The sequent-style calculi for TL and some of its extensions (TL plus one of Transitivity, Reflexivity, Connectedness, or combinations thereof) introduced by Kashima in 199419 are instead examples (the first ones, perhaps) of good sequent-style calculi for temporal logic: • they enjoy cut elimination (although the given proof of the result is only semantic and not syntactic), and • all the other inference rules are analytic, i.e., they fully respect the subformula principle. The price to pay is to abandon Gentzen’s standard sequents and to work instead with a peculiar elaboration of the Tait-style approach (see the previous section). 19

Kashima (1994).

Proof-Theoretical Foundations of Temporal Logic

59

First of all, the propositional TL language is recasted in a convenient form featuring, besides the literals and the Boolean operators ∧, ∨, all the four Prior’s temporal operators H, G, P, F, and the definition of ¬ϕ is extended by the natural clauses: ¬Hϕ := P¬ϕ, ¬Gϕ := F¬ϕ, ¬Pϕ := H¬ϕ, ¬Fϕ := G¬ϕ. Next, nonstandard sequents are adopted, namely one-sided, nested sequents. More precisely, the class S of Kashima sequents (henceforth, sequents), denoted by S, T, . . ., is defined inductively as the smallest class such that: — ϕ ∈ S, for any formula ϕ; — if S ∈ S, then [ S ]p , [ S ]f ∈ S; — if {Si }1≤i≤n ⊆ S (n ≥ 0), then S1 , S2 , . . . , Sn ∈ S (if n = 0, this is the empty sequent). The meaning of a sequent S is given by the temporal formula S∗ inductively associated to it as follows: — if S ≡ ϕ, S∗ := ϕ; — ([ S ]p )∗ := HS∗ and ([ S ]f )∗ := GS∗ ; — (S1 , . . . , Sn )∗ := S∗1 ∨ . . . ∨ S∗n (⊥ if n = 0). Kashima’s basic sequent system SKt , corresponding to TL, is now obtained by adding to the Tait-style sequent calculus for LKp previously described the following Structural rules: Γ, [ Δ ]f [ Γ ]p , Δ

turn1 ,

Γ, [ Δ ]p [ Γ ]f , Δ

turn2

and Temporal inference rules: Γ, [ ϕ ]p Γ, Hϕ

H,

Γ, [ ϕ ]f Γ, Gϕ

G,

Γ, [ Δ, ϕ ]p Γ, [ Δ ]p , Pϕ

P,

Γ, [ Δ, ϕ ]f Γ, [ Δ ]f , Fϕ

F.

To exemplify the use of Kashima’s temporal rules, here is a SKt -derivation of the formula (one element sequent) ¬p ∨ HFp, alias

60

Temporal Logic: From Philosophy and Proof Theory

is the TL-tautology p → HFp: ¬p, p [ ¬p, p ]f Fp, [ ¬p ]f ¬p, [ Fp ]p ¬p, HFp ¬p ∨ HFp

turn2

F turn1 .

H ∨

Truth preservation of the temporal rules in an arbitrary TL model can indeed be easily verified, and the soundness of Kashima’s calculus SKt follows. Completeness, together with (semantic) cut elimination, is proved by Kashima through a suitable adaptation of the known canonical-tree construction technique. Given an input sequent S, the associated search tree is proved to yield either a cut-free derivation of S in SKt or a TL countermodel for S∗ . We conclude this section with a presentation of the labeled sequent-style calculus G3lab Kt for the basic temporal system TL and of its modular extensions corresponding to extensions of TL derived from the addition of certain conditions on the temporal precedence relation.20 The labeled-sequents framework for plain modal logics has already been already described, and its adaptation to basic temporal logics is quite natural. The propositional language features as primitives the propositional constants ⊥ (absurd), ∧ (conjunction), → (conditional), and Prior’s temporal operators H, G, P, F; ¬φ is defined as ϕ → ⊥. The definitions of relational atoms, labeled formulae, and labeled sequents remain unchanged, except that for obvious reasons, the relational symbol “R” is replaced by “ 0).14 This kind of network can compute, for example, an approximation of a function f : Rn → R with I = O = R. A network which classifies, for example, 8-bit pictures of size h × v (with h horizontal and v vertical) in two classes, can be defined by a function ν : I h·v → O with input domain I = {0, . . . , 255} for 28 = 256 possible 8-bit pictures 10

Sch¨ olkopf and Smola (2002). Vapnik (1998). 12 Schmidhuber (2015, pp. 61, 85–117). 13 Mainzer (2002). 14 Mainzer and Kahle (2022); Leofante (2018, p. 2). 11

Applications and Outlook of Temporal Logic

115

output layer

layer 3

layer 2

layer 1

input layer

Fig. 4.2. layer. inputs

Feedforward network with three hidden layers and an input and output

weights

linear combination

activation function

Σ

⋮

⋮

Fig. 4.3.

Activation of neurons.

and output domain O = {0, 1} for two classes denoted 0 and 1. The mapping starts with an input from I n , which is at first given to the input layer and then through the hidden layers to the output layer. Mathematically, linear combinations of the values of nodes (neurons) and weights (synaptic connections) from the preceding layers are computed layer by layer. The activation functions are applied on these results for the following neurons (Fig. 4.3). Networks are distinguished by different activation functions. The threshold function of a McCulloch–Pitts neuron has only the function value of 1 for inputs v ≥ 0, otherwise 0 (Fig. 4.4(a)). A piecewise linear function maps a bounded interval linearly and the outer

116

Temporal Logic: From Philosophy and Proof Theory

(a)

(b)

Fig. 4.4.

(c)

(d)

Examples of activation functions.

intervals constantly (Fig. 4.4(b)). Sigmoid functions have a variable gradient measure, which is expressed by the curvature of the graph (Fig. 4.4(c)). A rectifier function (ReLU: rectifier linear unit) has the positive values of their arguments, otherwise 0 (Fig. 4.4(d)). 4.1.3.

Statistical and causal learning

Because of Big Data, neural networks with deep learning are endangered to become a black box with an ever-increasing number of parameters.15 Data correlations can provide indications of facts but do not have to do so. Statistical learning and reasoning from data is therefore not sufficient. Rather, one must recognize the causal relationships between causes and effects behind the measured data. These causal relationships depend on the laws of the respective application domain. Therefore, in addition to the statistics of the data, additional laws and structural assumptions of the application domains are required, which are verified by experiments and interventions. Causal explanatory models (e.g., the planetary model or a tumor model) fulfill the law and structural assumptions of a theory (e.g., Newton’s gravitational theory or the laws of cell biology). In causal reasoning, the properties of data and observations are derived from causal models. Causal inference thus makes it possible to determine the effects of interventions or data changes (e.g., through experiments). Causal learning, vice versa, tries to create a causal model from observations, measurement data, and interventions (e.g., experiments), which require additional laws and structural assumptions.16 It can be proved that a causal model includes a clear probability distribution of the data but not vice versa: For causal models 15 16

Knight (2017). Pearl (2009), Peters et al. (2017).

Applications and Outlook of Temporal Logic

117

(e.g., the planetary model), additional laws (e.g., the gravitational law) must be assumed.17 The objective of causal learning is therefore to discover the causal dependencies of causes and effects behind the distribution of measurement and observation data. 4.1.3.1.

Example: Reinforcement learning

In unsupervised learning, the algorithm learns to recognize new patterns (correlations) from the set of inputs without “teachers.” In supervised learning, the algorithm learns to determine a function from given pairs of inputs and outputs (training). A “teacher” (e.g., trained prototype of a pattern) corrects deviations from the correct function value to an output (e.g., recognition of learned patterns). Reinforcement learning (RL) is in between: A robot is given a target (as in supervised learning). However, it must find the realization independently (as in unsupervised learning). In the step-by-step realization of the goal, the robot receives feedback from the environment at each partial step as to how good or bad it is at realizing the goal. Its strategy is to optimize this feedback. Technically, this means the algorithm learns through experience (trial and error) how to act in an (unknown) environment (world) in order to maximize the utility of the agent.18 Mathematically, RL is a dynamic system of an agent and its environment with discrete time steps t = 0, 1, 2, . . .. At any time t, the world is in a state zt . The agent chooses an action at . Then, the system enters the state zt+1 and the agent receives the reward bt (Fig. 4.5).19 The agent’s strategy is defined by πt , wherein πt (z, a) is the probability that the action is at = a if the state is zt = z. Algorithms of RL determine how an agent changes its strategy based on its experiences (rewards). The goal of the agent is to optimize his feedback in order to achieve the goal. An example is a mobile robot which is supposed to pick up empty beverage cans in an office and throw them in a trash can. The robot has sensors to detect the cans and an arm with a gripper to grip the cans. Its activities depend on a battery that occasionally needs to be 17

Mooij et al. (2013). Sutton and Barto (1998), Russell and Norvig (2004). 19 Mainzer (2019, p. 121). 18

Temporal Logic: From Philosophy and Proof Theory

118

Fig. 4.5.

Reinforcement learning of an agent from its environment.

recharged at a base station. The control system of the robot consists of components for the interpretation of sensor information and for the navigation of the robot arm and robot gripper. The intelligent decisions for can search are realized by a reinforcement algorithm that takes into account the charge level of the battery. The robot can choose between three actions: active search for a can in a certain time period, stationary hibernation and waiting for someone to bring a can, and returning to base station to recharge the battery. A decision is made either periodically or whenever certain events, such as finding a can, occur. The condition of the robot is determined by the condition of its battery. The rewards are usually zero but become positive when the robot finds an empty can or negative when the battery charge runs out. Ideally, an agent is in a state that sums up all the past experiences necessary to achieve its goal. Normally its immediate and present perceptions are not sufficient for this. But the complete history of all past perceptions is also not necessary. For the future flight of a ball, it is sufficient to know its current position and speed. It is not necessary to know its complete previous course. In such cases, the history of the present state has no influence on future development. If the probability of a state depends only on the preceding state and a preceding action of the agent in that state, the decision process satisfies the Markov property. The Markov decision process (MDP) is determined by the Markov property: P (zt+1 , rt+1 |z0:t , a0:t , b0:t ) = P (zt+1 , rt+1 |zt , at ).

Applications and Outlook of Temporal Logic

119

The action model P (zt+1 |zt , at ) is the conditional probability distribution that the world changes from state zt to state zt+1 if the agent selects the action at ; rt+1 is the expected return in the next step. Because computing and storage capacities are scarce and costly, practical RL applications often require the Markov feature. Even if the knowledge of the present state is not sufficient, an approximation of the Markov property is favorable. For very large (“infinite”) state spaces, the utility function of an agent must be approximated (e.g., state–action–reward–state algorithms (SARSA), temporal difference learning, Monte Carlo methods, dynamic programming). 4.1.4.

Hybrid AI

Increasing computational power and acceleration of communication need improved consumption of energy, better batteries, miniaturization of appliances, and refinement of display and sensor technology. Under these conditions, intelligent functions can be distributed in a complex network with many multimedia terminals.20 Together with satellite technology and global positioning system (GPS), electronically connected societies are transformed into cyberphysical systems.21 They are a kind of symbiosis of man, society, and machine with digital and analog interfaces, which leads to “hybrid AI.”22 Knowledge-based systems (symbolic AI) are combined with machine learning (subsymbolic AI). Communication is not only realized between human partners with (“analog”) natural languages but in digital codes with the things of this world. Cyberphysical systems also mean a transformation into an Internet of Things (IoT). Things on the Internet become locally active agents of complex dynamical systems, i.e., communication networks. Examples of locally active agents are robots combining AI functions with knowledge-based programming and situational learning. Only in this way, it will be possible for robots not only to skillfully coordinate their actions with each other but also to plan and decide how more sophisticated biological systems can be. Neuromorphic

20

Mainzer (2017). Mainzer (2015). 22 Mainzer (2016). 21

120

Temporal Logic: From Philosophy and Proof Theory

computer structures are designed, which do not occur in this way in nature but combine the advantages of neuronal systems of nature with the advantages of technical computer structures.23 Neural quantum computers are also conceivable, in which the enormous computing speed and storage capacity of quantum computers are combined with neural networks.24 According to this, intelligence is an interactively developing ability and not a static and rigidly programmed property of an isolated system. But how can one rely on cyberphysical systems with hybrid AI? Statistical machine learning with neural networks works, but we cannot understand and control the processes in the neural networks in detail. Today’s machine learning techniques are mostly based only on statistical learning, but that is not enough for safety-critical systems.25 Machine learning can be combined with proof assistants (symbolic AI) and causal learning. As in cognitive systems, experience and learning from data need control over logical reasoning. Verification of software has already been a crucial step in the development of computer programs in software engineering26 : After requirement engineering, design, and implementation of a program, different verification procedures have been applied in practice. A program is said to be correct (“certified”) if it can be verified to follow a given specification which is derived from the design of the program. In symbolic AI, proof assistants were already considered, which prove the correctness of a computer program in a consistent formalism like a constructive proof in mathematics (e.g., Coq, Agda, MinLog).27 Obviously, proof assistants are the best formal verification of correctness for certified programs. But, in industry and business practices, proof assistants seem to be too ambitious because of the increasing complexity of AI software. Therefore, industrial production is often content with ad hoc tests or empirical test procedures, which try to find statistical correlations and patterns of failures.28 A challenge is the verification of machine 23

Mainzer and Chua (2013). Mainzer (2020). 25 Kl¨ uppelberg et al. (2014). 26 Bourque and Dupuis (2004). 27 Mainzer et al. (2021). 28 Bertolino (2000), Tretmans and Brinksma (2003). 24

Applications and Outlook of Temporal Logic

121

learning with neural networks and learning algorithms. The increasing complexity of neural networks with an ever-increasing number of parameters generate black boxes which seem only to be trainable by Big Data and testable by ad hoc and empirical procedures. But, in practice, we must also consider the costs of testing. Formal proofs of complex software need an immense amount of time and man power. On the other hand, it is risky to rely on ad hoc testing and empirical testing only in safety-critical systems. For certification of AI programs, we must aim at increasing accuracy, security, and trust in software in spite of increasing complexity of civil and industrial applications but with respect to the costs of testing (e.g., utility functions for trade-off time of delivery vs. market value, cost/effectiveness ratio of availability). There is no free lunch for the demands of safety and security. Against the background of earlier studies on interdisciplinary risk and AI standardization,29 one should aim at a scale of sustainable degrees of certification for responsible and sustainable AI. 4.1.5.

Reinforcement learning with temporal logic

A widely used method of machine learning is the RL method. The idea is that an agent or robot searches a problem solution in a certain environment and gets rewards to improve its search in learning steps. Thus, RL is an optimization process of problem-solving, which mainly uses a stochastic MDP to converge to the problem solution. Real-world applications are very complex and cannot be realized in simple trial-and-error procedures. An example is the task of a humanoid robot to learn how to drive a car.30 A reward function may be the travel duration to a destination. But there are a huge number of details which must also be considered, such as applications of gas and brake, using the steering wheel and transmission, safety requests, and, last but not least, reaching the destination on time. Humans do not learn in a stupid, brute-force manner by testing all possibilities of behavior but reduce complexity through incorporated rules which encourage correct behaviors and penalize risky ones. They aim at policies to maximize the reward functions. 29 30

Wahlster and Winterhalter (2020). Li et al. (2017).

122

Temporal Logic: From Philosophy and Proof Theory

The incorporated rules of a reward function are called the specification of a task. The temporal coordination of these behaviors is expressed by modal and temporal operators: One must do this request before that request in order to fulfill a certain intention and to avoid a certain obstacle which could eventually emerge under certain constraints, etc. Therefore, it is convenient to use formulae of a temporal logic to describe the specification of a task. A temporal calculus can be used as a formal specification language to express the requirements of what an agent or robot should do. A quantitative semantics of the temporal calculus is used to transform temporal logical formula into (real-valued) reward functions. Increasing rewards transform to better satisfaction of the specifications. It can be proven that better policies of behavior are learned faster by using rewards of a temporal logic than by heuristic procedures of trial and error. 4.1.6.

Policy search in reinforcement learning

The search for satisfactory policies in RL is made precise in the framework of MDP.31 An (infinite) MDP is a tuple (S, A, p, R) with continuous set S ⊆ Rn of states, continuous set A ⊆ Rm of actions, transition probability function p : S × A × S → [0, 1] such that p(s, a, s ) is the probability of taking action a ∈ A at state s ∈ S ending up in state s ∈ S or conditional probability p(s |s, a), and reward function R : r → R on state–action trajectory r = (s0 , . . . , sT ). In RL, the transition function p is not known by the learning robot or agent. The reward function can be defined or learned. The goal of RL is to find an optimal stochastic policy π ∗ : S × A → [0, 1] which maximizes the expected accumulated reward: π ∗ = arg maxπ Epπ (r) (R(r)), with the trajectory distribution pπ (r), which results from following policy π and reward R(r) for given r. A policy can be represented by a parameterized model of, for example, a neural network πθ with the set θ of weights as model 31

Deisenroth (2013); Li et al. (2017).

Applications and Outlook of Temporal Logic

123

parameters. The policy search tries to find the optimal set of θ with θ ∗ = arg maxθ Epπθ (r) (R(r)). 4.1.7.

Truncated linear temporal logic for reinforcement learning32

A convenient formal language in RL should have the ability to transform the specification of a learning task into a reward function. In the work of Li et al. (2017), the formulae of a linear temporal logic (LTL) refer to predicates of functional constraints f (s) < c with real function f : Rn → R and constant c. The syntax of formulae in this temporal logic is defined inductively as usual: ϕ := |f (s) < c|¬ϕ|ϕ ∧ ψ|ϕ ∨ ψ|♦ϕ|ϕ|ϕ



ψ|ϕTψ|Xϕ|ϕ ⇒ ψ,

with predicate f (s) < c and Boolean  connectives and temporal operators ♦ (eventually),  (always), (until), T (then), X (next), and ⇒ (implication). These formulae are evaluated with respect to finite time sequences over a set S of states which are generated by an MDP. A sequence of states from time t to time t + k is denoted by st:t+k . The semantics of the formulae is defined in the following way: st:t+k st:t+k st:t+k st:t+k st:t+k st:t+k st:t+k

32

Li et al. (2017).

|= f (s) < c :⇔ f (st ) < c, |= ¬ϕ :⇔ ¬(st:t+k |= ϕ), |= ϕ ⇒ ψ :⇔ (st:t+k |= ϕ) ⇒ (st:t+k |= ψ), |= ϕ ∧ ψ :⇔ (st:t+k |= ϕ) ∧ (st:t+k |= ψ), |= ϕ ∨ ψ :⇔ (st:t+k |= ϕ) ∨ (st:t+k |= ψ), |= Xϕ :⇔ (st:t+k |= ϕ) ∧ (k > 0),  |= ϕ :⇔ t ∈ [t, t + k)st :t+k |= ϕ,

124

Temporal Logic: From Philosophy and Proof Theory

 st:t+k |= ♦ϕ :⇔ t ∈ [t, t + k)st :t+k |= ϕ,   t ∈ [t, t + k)st :t+k |= ψ st:t+k |= ϕ ψ :⇔  ∧ t ∈ [t, t )st :t+k |= ϕ,  st:t+k |= ϕTψ :⇔ t ∈ [t, t + k)st :t+k |= ψ  ∧ t ∈ [t, t )st :t+k |= ϕ. According to these definitions, the temporal operators have the following meaning: st:t+k |= ϕ, i.e., the specification defined by ϕ is always satisfied in the state trajectory st:t+k if the specification of ϕ is satisfied for every subtrajectory st :t+k with t ∈ [t, t + k). st:t+k |= ♦ϕ, i.e., the specification defined by ϕ is eventually satisfied in the state trajectory st:t+k if the specification of ϕ is satisfied for at least onesubtrajectory st :t+k with t ∈ [t, t + k). st:t+k |= ϕ ψ, i.e., the specification defined by ϕ “until” ψ is satisfied in the state trajectory st:t+k if the specification of ϕ is satisfied at every time step before ψ is satisfied, and ψ is satisfied at a time between t and t + k. st:t+k |= ϕTψ, i.e., the specification defined by ϕ “then” ψ is satisfied in the state trajectory st:t+k if the specification of ϕ is satisfied at least once before ψ is satisfied between t and t + k. A trajectory s of duration k is said to satisfy a formula ϕ if s0:k |= ϕ. For RL, a specification of a formula ϕ must be transformed into a real-valued function that can be used as reward. Therefore, a realvalued function ρ(st:t+k , ϕ) depending on state trajectory st:t+k and specification formula ϕ should measure how far st:t+k is from satisfying or violating the specification ϕ. The results of ρ are sometimes called robustness degrees. They define the quantitative semantics of the considered LTL calculus: ρ(st:t+k , ) := ρmax (maximal robustness degree), ρ(st:t+k , f (st ) < c) := c − f (st ), ρ(st:t+k , ¬ϕ) := −ρ(st:t+k , ϕ),

Applications and Outlook of Temporal Logic

125

ρ(st:t+k , ϕ ⇒ ψ) := max(−ρ(st:t+k , ϕ), ρ(st:t+k , ψ)), ρ(st:t+k , ϕ ∧ ψ) := min(ρ(st:t+k , ϕ), ρ(st:t+k , ψ)), ρ(st:t+k , ϕ ∨ ψ) := max(ρ(st:t+k , ϕ), ρ(st:t+k , ψ)), ρ(st:t+k , Xϕ) := ρ(st+1:t+k , ϕ) ρ(st:t+k , ϕ) := ρ(st:t+k , ♦ϕ) := ρ(st:t+k , ϕ



min

t ∈[t,t+k)

(k > 0),

ρ(st :t+k , ϕ),

max ρ(st :t+k , ϕ),

t ∈[t,t+k)

 ψ) :=

max

t ∈[t,t+k)

 ρ(st:t+k , ϕTψ) :=

max

t ∈[t,t+k)

min(ρ(st :t+k , ψ), min ρ(st :t , ϕ) , t ∈[t,t )

min(ρ(st :t+k , ψ), max ρ(st :t , ϕ) . t ∈[t,t )

Obviously, ρ(st:t+k , ϕ) > 0 implies st:t+k |= ϕ, and ρ(st:t+k , ϕ) < 0 implies st:t+k |= ϕ. An example illustrates the computation of the robustness degrees of specifications. The formula ϕ = ♦ (s < 10) is a specification with a one-dimensional state s and a state trajectory s0:2 = s0 s1 = [11.5]. The robustness degree is ρ(s0:1 , ϕ) = maxt∈{0,1} (10 − st ) = max(−1, 5) = 5. In this case, ρ(st , ϕ) > 0 implies s0:1 |= ϕ and ρ(st , ϕ) = 5 is a measure for the margin of satisfaction. With respect to tasks of reinforcement learning, it is convenient that a calculus of temporal logic L is defined over predicates which specify tasks as functions of states. A quantitative semantics of the calculus should introduce a continuous (real-valued) measure of satisfaction. It is also convenient that the specification formulae are evaluated over finite-state trajectories of variable length. This procedure allows per-step evaluation according to the empirically available data. Temporal operators can have time bounds but must not have them. These criteria are fulfilled by the previous calculus. Therefore, this calculus is called truncated linear temporal logic (TLTL). There are other LTLs with different advantages and disadvantages,

126

Temporal Logic: From Philosophy and Proof Theory

such as signal temporal logic (STL),33 metric temporal logic (MTL), bounded temporal logic,34 and linear temporal logic on finite traces (LTLf ).35 4.1.7.1.

Example: Goal reaching while avoiding obstacles36

In a first task, an end-effector should reach the goal position g but simultaneously avoid two obstacles o1 and o1 . The discrete and continuous rewards are given by ⎧ if dg ≤ 0.2, ⎪ ⎨ 5, discrete = −2, if do1,2 ≤ ro1,2 , r1 ⎪ ⎩ 0, otherwise, r1continuous = −c1 dg + c2

2 

doi ,

i=1

with Euclidean distance dg between the end-effector and the goal, distance doi between the end-effector and obstacle i, and radius roi of obstacle i. The specification of the task is described by a TLTL formula ϕ1 , which requires eventually to always stay at goal g and always stay away from obstacles, i.e., ϕ1 = ♦ (dg < 0.2) ∧  (do1 > ro1 ∧ do2 > ro2 ). The resulting robustness degrees are computed by     t min 0.2 − dg , ρ1 (ϕ1 , (xe , ye )0:T ) = min max t∈[0,T )

t ∈[t,T )

 t  t min do1 − ro1 , do2 − ro2 ,

t∈[t,T )

with trajectory (xe , ye )0:T of the end-effector position and distance dt at time t. The robustness degrees are automatically generated from the quantitative semantics. Thus, it is only necessary to specify the TLTL formula ϕ1 . 33

Donz´e and Maler (2010). Latvala et al. (2004). 35 De Giacomo and Vardi (2013). 36 Li et al. (2017, pp. 4–5). 34

Applications and Outlook of Temporal Logic

4.1.7.2.

127

Example: Pick-and-placement tasks of robots37

In the next task, a robot should place a piece of bread in a toaster. The gripper position of the robot ranges continuously from 0 to 100, with 0 being the fully closed position. The 21-dimensional state feature space contains seven joint angles and joint velocities, the pose of the end-effector, and the gripper position. The eight-dimensional action space includes seven joint velocities and the desired gripper position. Actions are sent at 20 Hz. The specification ϕ2 of the task requires that the robot always not hit the table or the toaster, eventually reaches the slot, and keeps the gripper closed until the slot is reached, and if the slot is always reached, it implies next that the gripper remains open always, i.e., the TLTL formula:  ϕ2 =  (¬(ψtable ∨ ψtoaster )) ∧ ♦ (ψslot ) ∧ (ψgc ψslot ) ∧ (ψslot ⇒ X  (ψgo )), with predicates ψtable , ψtoaster , and ψslot which describe the regions with spatial constraints (xmin < xe < xmax ) ∧ (ymin < ye < ymax ) ∧ (zmin < ze < zmax ) and position (xe , ye , ze ) of the end-effector.38 Orientation constraints are specified in a similar way. The predicates ψgc and ψgo describe the conditions for the gripper to be closed and opened, respectively. The resulting robustness degree for the specification ϕ2 is given by  e ρ2 (ϕ2 , p0:T ) = min min (max(−ρ2 (ψtable , pet:T ), −ρ2 (ψtoaster , pet:T ), t∈[0,T )

max ρ2 (ψslot , pet:T ), max

t∈[0,T )

min

t ∈[0,T )

min

t ∈[t+1,T )

37 38

t∈[0,T )



ρ2 (ψgc , pet :t )

 

, min

t∈[0,T )



ρ2 (ψgo , pet :T )))

Levine et al. (2016), Gu et al. (2016). Li et al. (2017, pp. 6–7).

.

min(ρ2 (ψslot , pet:T ),

max(−ρ2 (ψslot , pet:T ),

Temporal Logic: From Philosophy and Proof Theory

128

The robustness degrees are automatically generated by the quantitative semantics if specification ϕ2 is given. If ρ2 (ϕ2 , pe0:T ) > 0, then specification ϕ2 is satisfied. 4.1.8.

Temporal logic LTL for reinforcement learning

The syntax of LTL is defined inductively as usual39 : ϕ := p|¬ϕ|ϕ1 ∧ ϕ2 |Xϕ|ϕ1



ϕ2 ,

with atomic proposition p. The other Boolean connectives are defined as usual in classical logic with ¬ and ∧. The logical constants true and false can be defined as  := p ∨ ¬p and ⊥ := ¬. The temporal modalities “eventually”  and “always” can be defined with the “until” operator as ♦ϕ :=  ϕ and ϕ := ¬ ♦ ¬ϕ, respectively. The LTL formula ♦ϕ states that ♦ϕ will always be true, or “eventually ϕ,” is repeated forever. In this case, ϕ must be true infinitely many times. Therefore, ♦ϕ means “infinitely often ϕ.” LTL specifies properties of infinite-state trajectories. For a set AP of atomic propositions, an infinite sequence, σ = σ(0)σ(1)σ(2) . . ., is defined by the values of the function σ : N → 2AP , which includes all propositions p ∈ AP that are true at time t ∈ N . The infinite sequence σ k = σ(k)σ(k + 1)σ(k + 2) . . . is the part of the sequence σ starting at time k. The satisfaction relation |= between trajectory σ and LTL formula ϕ is defined inductively as usual: σ |= p ⇔ σ(0) (i.e, σ(0 |= p), σ |= ¬ϕ ⇔ σ  ϕ, σ |= ϕ1 ∧ ϕ2 ⇔ σ |= ϕ1 and σ |= ϕ2 , σ |= Xϕ ⇔ σ 1 |= ϕ,    k ≥ 0 σ k |= ϕ2 and j < k σ j |= ϕ1 . σ |= ϕ1 ϕ2 ⇔ From a linguistic point of view, LTL specifies properties of the infinite sequence σ = σ(0)σ(1)σ(2) . . . with symbols σ(i) ∈ 2AP = Σ. 39

Lennarston and Quin-Shan Jia (2020).

Applications and Outlook of Temporal Logic

129

The infinite set {0, 1, 2, . . .} of natural numbers represents the smallest infinite ordinal number ω. Therefore, σ ∈ Σω can be understood as infinite symbolic words. Subsets L ⊆ Σω are called ω-languages, which can also be used to specify properties equivalent to LTL specifications. In Section 3.3, it was explained that regular ω-languages with infinite words can be recognized by B¨ uchi automata, while finite words of regular languages can be recognized by finite automata. A B¨ uchi automaton is defined as a tuple, B = (Q, Σ, δ, q0 , Qm , qf ), with a finite set Q of states, a finite set Σ ⊆ 2AP of symbols, transition function, δ : Q × Σ → 2S , initial state q0 , a set Qm of marked goal states, and a forbidden state qf . A B¨ uchi automaton must reach a marked state infinitely mans times, while a finite automaton must reach it one time. In LTL, the acceptance condition of a finite automaton can be expressed as ♦M with state label M for all marked states. The acceptance condition of B¨ uchi automaton is described as ♦M . In Fig. 4.6, a marked state is represented by a double circle. The forbidden state qf is represented by a cross, which is reached for all non-accepted words. In order to specify properties on state labels in temporal logic, an MDP is defined for RL. An MDP is a tuple M = (S, A, P, s0 , AP, λ, ρ) with a countable set S of states, a finite set A of actions and set A(s) of available actions in state s, transition probability function P : S × A × S → [0, 1] such that P (s, a, s ) is the transition probability for  transition (s, a, s ) from state s to state s for action a ∈ A(s) with s ∈S P (s, a, s ) = 1, initial state s0 , a set AP of atomic propositions, a state labeling function λ : X → 2AP , and a reward function ρ : S × A × S → R with the immediate reward ρ(s, a, s ) after transition (s, a, s ). The function value λ(s) of the labeling function λ indicates those atomic propositions which are satisfied in state s. In RL, an MDP should satisfy an LTL formula ϕ. Therefore, the corresponding B¨ uchi automaton Bϕ is synchronized with the MDP M by the definition of a product model M ⊗ Bϕ .40 For M = (S, A, P, s0 , AP, λ, ρ) and B = (Q, Σ, δ, q0 , Qm , qf ), the synchronization is defined by M ⊗ B := (S × Q, A, P⊗ , (s0 , δ(q0 , λ(s0 ))), S × Qm , S × {q0 }, ρ⊗ ), 40

Baier and Katoen (2008).

Temporal Logic: From Philosophy and Proof Theory

130

with transition probability P⊗ ((s, q), a, (s , q  )) =

 P (s, a, s ), if q  = δ(q, λs )), 0, otherwise,

and reward ⎧ ⎨ ρM > 0, ρ⊗ (s, q) = ρ(s) + ρF < 0, ⎩ 0,

if q ∈ Qm , if q = qf , otherwise.

The state label λ(s ) of the target state s in the MDP M should satisfy the related transition label in the B¨ uchi automaton B. In this sense, a transition ((s, q), a, (s , q  )) in the synchronized system with transition probability P⊗ is restricted by the condition q  = δ(q, λ(s )). In Fig. 4.6, forbidden states are introduced for non-accepted words. The safety specification ¬q requires that no state with label q is accepted. In the B¨ uchi automaton Bϕ , the forbidden state 2 models that a transition of the MDP M to a state with label q is not accepted. In the reward function ρ⊗ , a positive reward ρM > 0 is related to marked states and a negative reward ρF < 0 to forbidden states. In Fig. 4.6, an MDP M has state labels p and q. For the specification ϕ = ♦ p ∧  ¬q, the corresponding B¨ uchi automaton Bϕ is shown with a forbidden state after transitions with label q. The synchronization M⊗ Bϕ has two marked states because specification ♦ p is fulfilled in state 2 as well as 3 in M. In RL, learning is an optimization process which can be performed with, for example, a so-called Q-function. A Q-function is an actionvalue function Q : S × A → R that depends on both the system state and possible actions. The function is estimated from system data, where the next state and resulting reward are considered as a result of a given action which is decided by the learning agent. The optimization of a control policy is performed by a stochastic procedure (e.g., dynamic programming) for the MDP. The policy is determined by the Q-function. It selects actions such that marked states, if possible, will be visited infinitely often. Forbidden states are avoided. In this way, an LTL formula is satisfied.

Applications and Outlook of Temporal Logic

131

Fig. 4.6. Synchronization M ⊗ Bϕ of a Markov decision process M and a B¨ uchi automaton Bϕ .41

4.2.

Temporal Logic in Relativistic Physics

Traditional temporal logics assume classical physics and its concept of time as self-evident. But we have to consider different concepts of time in the different physical theories, such as classical physics, relativistic physics, thermodynamics, and quantum physics. In modern physics, it is well-known that the concepts of time, space, and matter change if research approaches the size of cosmic structures or elementary particles, the velocity of light, and the gravitation of black holes, i.e., in short, if measurements become more and more

41

Lennarston and Quin-Shan Jia (2020, Fig. 1).

Temporal Logic: From Philosophy and Proof Theory

132

dependent on Planck’s quantum constant and the constant of light velocity. In special relativity, the mathematical structure of space-time is given by the four-dimensional Minkowskian geometry.42 The fourdimensional points with three spatial and one temporal coordinate are physically understood as events. According to Einstein, an event y comes after an event x if a signal can be sent from x to y at most with the speed of light. Physically, the causal connections between events are defined in this way. Concerning temporal logic, the temporal operator  of necessity relates to sentences on events which “will always be.” It can be proven that modal sentences valid in this space-time structure are the theorems of the modal calculus S4.2. With respect to temporal logic, the modalities of this calculus relate to a branching-tree temporal logic. With respect to physics, the Minkowskian space-time of relativity theory is one of the most significant nonlinear-time structures. 4.2.1.

Temporal logic of time frames

The syntax of propositional modal logic consists of sentence letters p, q, r, . . ., which are connected by Boolean connectives and the modal operator  (“it is now and will always be the case that”). The modal operator ♦ (“it will be at some time that”) is defined as usual with  as ¬  ¬.43 The semantics of this formal language relates to time frames.44 A time frame is defined as T = (T, ≤) with a nonempty set T of events and a reflexive and transitive ordering. A frame is called directed iff any two elements of T have an upper bound. A T -valuation is a function V which assigns to each sentence letter p the set V (p) ⊆ T of events at which p is true. The valuation function can be extended by inductive definition to all sentences A, B, C, . . . defined with Boolean connectives. For modalities, it is defined as t ∈ V (A) if and only if t ≤ s implies s ∈ V (A), t ∈ V (♦A) if and only if for some s ∈ V (A), it is t ≤ s. 42

Mainzer (2010, Chapter III.1). Prior (1967). 44 Goldblatt (1980). 43

Applications and Outlook of Temporal Logic

133

The reflexivity of ≤ expresses the meaning of modal operator  (“it is and will always be”). A sentence A is valid in time frame T = (T, ≤) according to this definition: T |= A iff V (A) = T for every T -valuation V . Time frames may have an analogous structure, which is defined with a homomorphic mapping. Time frames T = (T, ≤) and T  = (T  , ≤ ) are called p-homomorphic (abbreviation: T  T  ) iff there is a (surjective) function f : T → T  (p-homomorphism) with (i) t ≤ s implies f (t) ≤ f (s), (ii) f (t) ≤ v implies that there is some s ∈ T with t ≤ s and f (s) = v. For p-homomorphic time frames with T  T  , it is T |= A only if T  |= A for any sentence A. A subset T  ⊆ T is called future-closed under ≤ if, for all t ∈ T  with t ≤ s, it is s ∈ T  . A time frame T  = (T  , ≤ ) with a futureclosed subset T  ⊆ T is called a subframe of time frame T = (T, ≤). Because of the transitivity of ≤, for each t, the set {s|t ≤ s} is the base of a subframe of T generated by t. An element 0 ∈ T is called an initial point of time frame T if 0 ≤ s is for all s ∈ T . Therefore, t is an initial point of the subframe generated by t. For subframe T  of T , it is T |= A only if T  |= A for any sentence A. The semantics of time frames can be related to the formal modal calculus S4.2, which is axiomatized by the following formulae: (i) (ii) (iii) (iv)

(A → B) → (A → B), A → A, A → A, ♦A → ♦A

and rules , (i) modus ponens: A A→B B A (ii) necessitation: A . Formula (i) is valid on all frames because it expresses a general property of necessity independent of the properties of ≤. Formula (ii) is valid because of the reflexivity of ≤. Formula (iii) is valid because of

134

Temporal Logic: From Philosophy and Proof Theory

the transitivity of ≤. Formula (iv) is valid if ≤ is directed. Therefore, the following version of soundness is true for the modal calculus S4.2 with respect to the semantics of time frames: S4.2 A implies that A is valid in all directed frames. Completeness can also be proven for S4.2 in the following sense: S4.2 A implies that there is a finite generated and directed time frame T with T  A. The equivalence relation on T with t ≈ s iff t ≤ s

and s ≤ t

leads to clusters t¯ and s¯ as equivalence classes. They can be ordered by an ordering t¯ ≤ s¯ iff t ≤ s, which is antisymmetric because s¯ ≤ t¯ and t¯ ≤ s¯ implies t¯ = s¯. Therefore, a time frame can be represented as a partially ordered collection of clusters. A final element s in a time frame T with t ≤ s for all t ∈ T is denoted by ∞. If time frame T is directed and finite, then it must have at least one final point. All final points are ≈-equivalent and belong to cluster ∞. ¯ A time frame T can be extended by a unique final point ∞ ∈ / T with T ∞ := (T ∪ {∞}, ≤) and appropriately extended ordering ≤ of T for ∞. As the final point is an upper bound for any two elements, time frame T ∞ is directed. In order to construct an appropriate time frame for the Minkowskian space-time of relativity, an infinite binary-branching frame B = (B, ≤) is introduced.45 The elements x ∈ B are finite sequences x = x1 x2 , . . . , xn , with xi ∈ {0, 1} and length l(x) = n. The empty sequence x = ∅ with l(x) = 0 is included. The ordering for sequences x = x1 x2 , . . . , xn and y = y1 y2 , . . . , yn is defined by x ≤ y iff x is an initial element of y, Iff n ≤ m, 45

Goldblatt (1980).

and

y = x1 x2 , . . . , xn yn+1 yn+2 , . . . , ym .

Applications and Outlook of Temporal Logic

Fig. 4.7.

135

Infinite binary-branching frame B = (B, ≤).

Obviously, the infinite binary-branching frame is partially ordered with ∅ as the initial point. The successors of x in B are the sequences that extend x. There are exactly two immediate successors 0 and 1 of x. In Fig. 4.7, the tree of the infinite binary-branching frame B = (B, ≤) is illustrated. The length l(x) can be considered as the level of x in B. In Section 1.2, this tree structure was already introduced as a binary fan of intuitionistic mathematics. It can be proven that the infinite binary-branching frame B is p-homomorphic to any finite generated time frame. Modal logic S4 contains the axioms of S4.2 without axiom (iv). Any non-theorem for S4 is falsifiable on a finite generated reflexive and transitive frame. The infinite binary-branching frame B is p-homomorphic to any finite generated time frame. For p-homomorphic time frames with T  T  , it is T |= A only if T  |= A for any sentence A. Therefore, for any sentence A, it holds that S4 A if and only if B |= A.46 A characteristic frame for the calculus S4.2 can be found by extension of B with an infinite final cluster at the top of B. For an infinite set Ω = {∞0 , ∞1 , . . . , ∞n , . . .} of elements disjoint from B, a frame B Ω = (B ∪ Ω, ≤) is defined with an extended ordering ≤ with respect to the elements of Ω. It can be proven that B Ω  T (i.e., B Ω is p-homomorphic to T ) for any finite directed and generated frame T . It follows that S4.2 A if and only if B Ω |= A for any A.46 46

Goldblatt (1980, p. 225).

Temporal Logic: From Philosophy and Proof Theory

136

4.2.2.

Time frames of Minkowskian space-time

The metric of an n-dimensional Minkowskian geometry is defined by μ(x) := x21 + x22 + · · · + x2n with n-tupel x = (x1 , x2 , . . . , xn ) of real numbers. In special relativity, it is n = 4, with spatial coordinates x1 , x2 , x3 and time coordinate x4 = t which is distinguished by the minus-sign in the Minkowskian metric.47 Mathematically, an n-dimensional space-time can be defined as a frame T n = (Rn , ≤) with x≤y

iff

n−1 

iff μ(y − x) ≤ 0

and xn ≤ yn

(yi − xi )2 ≤ (yn − xn )2

for x, y ∈ Rn

and xn ≤ yn

for x, y ∈ Rn .

i=1

T n is a partially ordered and directed frame. Anupper bound of 2 x and y is z := (x1 , x2 , . . . , xn−1 , zn ) with z n = n−1 i=1 (yi − xi ) + |xn | + |yn |. It can be proven that T n and T n+1 are p-homomorphic (i.e., n T  T n+1 ).48 Physically, Minkowskian space-time is T 4 . Elements x and y are called “events.” The relation x ≤ y means that a signal can be sent from event x to event y with a speed at most that of light in the causal future of x. The spatial and the time coordinates can be chosen such that the speed of light is one unit of distance per unit of time. Then, in the frame T 2 , the future for each event e = (x, y) in the plane consists of all events on or above upwardly directed rays of slopes +1 and −1 from e (Fig. 4.8).49 It can be proven that for any sentence A, it holds that S4.2 A iff T n |= A iff I |= A for the unit box I := [0, 1) × [0, 1). In the time frame T n , a relation of events can be defined with x≺y 47

iff μ(y − x) ≤ 0 and xn ≤ yn .50

Mainzer (1988, pp. 39–44, Chapter 3.3: Minkowski’s spacetime). Goldblatt (1980, pp. 225–227). 49 Goldblatt (1980, p. 227, Fig. 3). 50 Goldblatt (1980, pp. 232–234). 48

Applications and Outlook of Temporal Logic

Fig. 4.8.

137

Future in Minkowskian space-time T 2 .

Physically, x ≺ y means that a signal can be sent from event x to event y at less than the speed of light. For the reflexive relation xRy

iff x = y or x ≺ y,

the valid sentences on time frame (T n , R) are exactly the theorems of the logical calculus S4.2. The standard models of relativistic cosmology allow a mathematical solution that cosmic expansion will lead to a contraction of the universe, with a final collapse to a singularity. In this case, any future path in space-time will end in the singularity. Mathematically, in a time frame, the existence of a singularity means    x y(x ≤ y ∧ w(y ≤ w → y = w)). In a directed partially ordered frame, there can be only one unique final event y with the singularity condition. The reason is that if y has no successors, then an upper bound for y and the other point can only be y itself. The calculus K2 extends the calculus S4.2 by the axiom  ♦ A → ♦  A. This formula is valid on frames with the singularity condition. In temporal logic, we must distinguish two irreflexive orderings with different consequences for space-time. There is the already defined ordering x≺y

iff μ(y − x) ≤ 0 and xn ≤ yn ,

which must be distinguished from the after-relation in temporal logic xay

iff x = y

and x ≤ y.

The difference between both orderings becomes obvious in terms of the validity of modal sentences. Concerning the after-relation a,

Temporal Logic: From Philosophy and Proof Theory

138

• •

later

now

now

Time-travel paths with respect to ordering ≺ (left) and a (right).51

Fig. 4.9.

two propositions A and B are considered, which hold in the future at two points that can only be reached from now by traveling in opposite directions at the speed of light (Fig. 4.9(left)). In this case, ♦A ∨ ♦B will be true now but never again. It follows that ♦A ∧ ♦B → ♦(♦A ∧ ♦B) is not valid for the past-relation a. For the ≺-relation, the formula is true. The reason is that a slowerthan-light travel can always be realized with faster velocity. Therefore, the traveler can wait for some time and travel to A and B at a greater speed (Fig. 4.9(right)). This difference between the two orderings is true for all time frames T n with n ≥ 2. It is remarkable that the validity of modal sentences is dimension dependent in the Minkowskian geometry of relativity theory. In three-dimensional space-time T 3 , there are at least three points that can only reached by traveling in different directions with the speed of light. In Fig. 4.10, the future of an event e is illustrated by the well-known Minkowskian right circular cone, which is centered in e.52 In (T 3 , a) (also in (T n , a) with n ≥ 3), the following modal sentence can be falsified for ij ∈ {1, 2, 3}: ⎞  ⎛     ♦pi ∧ ⎝ (pi → ¬♦pj )⎠ → (♦(♦pi ∧ ♦pj )). i

i=j

i=j

n

But this sentence is true in (T , ≺) with n ≥ 2 and in (T 2 , a). The two-dimensional Minkowskian space-time consists of one space 51 52

Goldblatt (1980, p. 234). Mainzer (1988, pp. 40–42).

Applications and Outlook of Temporal Logic

139

e

Fig. 4.10.

Minkowskian future cone in T 3 .

dimension and one time dimension. In the corresponding temporal logic, there is an algorithm to determine whether a given temporal formula is valid over the two-dimensional Minkowskian space-time or not. For higher dimensions, such an algorithm of decidability is not known. 4.2.3.

Modal and temporal logics for continuous and discrete space-time

In the studies of Minkowskian space-time, one can distinguish the languages of modal and temporal logic. The language of modal logic is the language L of propositional logic extended by the modal operator  of necessity. The language of temporal logic consists of the language L of propositional logic extended by the temporal operators G (“necessarily in the future”) and H (“necessarily in the past”). There are dual operators with the following definitions53 : ♦ := ¬¬ (“possibly”), F := ¬G¬ (“possibly in the future”), P := ¬H¬ (“possibly in the past”). In general, the semantics of these formal languages can be defined by Kripke models. A Kripke model is a structure M := (W, R, V ), with set W of points (“worlds” or “times”), binary relation R on W , and a function V from the set of propositional variables to the set 2W of all subsets of W . For a propositional variable p the set 53

Uckelman and Uckelman (2007).

Temporal Logic: From Philosophy and Proof Theory

140

V (p) contains all worlds or times when the proposition p is true. The semantic truth in a (Kripke) model is defined recursively for the Boolean connectives ¬, ∧, ∨, and → in the usual way. For the modal and temporal operators, the necessary truth in the future and in the past of a formula ϕ in a world or time x of a Kripke model M is defined by M, x |= ϕ iff M, y |= ϕ for all y with xRy, M, x |= Gϕ iff M, y |= ϕ for all y with xRy, M, x |= Hϕ iff M, y |= ϕ for all y with yRx. The modal logic K consists of all axioms of propositional logic and the modal axiom (p → q) → (p → q) and the rules of modus ponens and inference of  ϕ from  ϕ. The corresponding temporal logic Kt consists of all axioms of propositional logic extended by axioms of the temporal operators G and H with (i) (ii) (iii) (iv)

H(p → q) → (Hp → Hq), G(p → q) → (Gp → Gq), p → HF p, p → GP p

and the rules of modus ponens and inference of  Hϕ and  Gϕ from  ϕ. One can restrict to the modal language with the constraint that the relation R must be reflexive and a proposition p true, resp. possible, at a point whenever p is necessary, resp. true, at that point. One can also restrict to the temporal language with the constraint that p (necessarily p) is a definition for p ∧ Gp (p and p always true in the future). Mathematically, Kripke models can be considered for continuous worlds W = Rn and discrete worlds W = Zn . Continuous worlds are interesting for the physical application of the Minkowskian spacetime (R4 , ), with  as relation R of Kripke models. The set {y|x  y} is the Minkowskian future light cone of event x. This is the set of all future physical events which are accessible from x. Events outside the future light cone are not accessible from x and therefore causally undetermined. Mathematically, (Rn , ) is isomorphic

Applications and Outlook of Temporal Logic

141

to (Rn , ≤), which is the rotation of (Rn , ) with an angle of 45◦ in Fig. 4.8 (for n = 2). Relation  is reflexive. There are two irreflexive orderings ≺ and a in modal and temporal logic, which were already studied in the previous section with their different consequences. A modal logic of the frames (Rn , ≤) with n ≥ 2 is S4.2, which consists of calculus K and the modal axioms (i) p → p, (ii) p → p, (iii) ♦p → ♦p. S4.2 is finitely axiomatizable and complete.54 The modal logic of the frames (Rn , ≺)n ≥ 2 is L2 , which consists of K and the modal axioms (i) (ii) (iii) (iv)

♦♦p → ♦p, ♦(p ∨ ¬p), (♦p ∧ ♦q) → ♦(♦p ∧ ♦q), ♦p → ♦p.55

Axiom (ii) expresses that there are no dead ends in the frames, and every n-tupel can access another n-tupel. Axiom (iii) means a version of density in the frames: For all x, y1 and y2 , there is a z such that if x ≺ y1 and x ≺ y2 , then x ≺ z, z ≺ y1 , and z ≺ y2 . It is remarkable that the modal logics of the reflexive and irreflexive versions of frames Rn are the same for all dimensions n > 1. Concerning the temporal after-operator a, no axiomatization of modal or temporal logics is known for frames (Rn , a) for all n. It is only known that the temporal logics for (Rn , a) must be distinct for all n. Whereas the modal logics for (Rn , ≤) is the same for all n ≥ 2, the modal logics for (Zn , ≤) and (Zn , a) are distinct for all n.56 Obviously, discrete structures seem to be much more complicated than continuous ones.

54

Goldblatt (1980, pp. 220–221). Shapirovsky and Shehtmann (2003, pp. 437–459). 56 Phillips (1998, pp. 545–553). 55

142

4.2.4.

Temporal Logic: From Philosophy and Proof Theory

Conceptual foundations of general relativity57

A main requirement of this book is that temporal logic must consider the change in the time concepts of physics from Aristotle and Newton to Einstein and the quantum world. The axioms of a calculus in temporal logic depends on an intuitive understanding of conceptual foundations of time. Therefore, before analyzing formal systems of temporal logic in general relativity, we start with a short informal reminder on the conceptual foundations of general relativity. In special relativity theory, an absolute space-time frame is abandoned, and all measurements and observations are taken relative to localized frames of reference under the assumption of the velocity of light as maximum speed. But accelerations according to Newton’s law of gravitation are not considered. In general relativity theory, special relativity is extended, and a relativistic gravitational law included. When Einstein extended his investigation of space-time to accelerated reference frames in 1907, he assumed that the acceleration effect of a reference frame cannot be distinguished from the effect of a gravitational field. His thought experiment of an observer who is in a closed box without contact with the outside world and can only observe the movements of bodies in this box is well known. All masses experience the same constant acceleration downward in a homogeneous gravitational field. Also, with respect to a box moving upward with the same acceleration, free mass points of any mass experience this acceleration downward. An observer in the box can therefore not decide by measurement whether the box is constantly accelerated or whether it is in a homogeneous gravitational field. Equivalently, one can also say that the effects of a homogeneous gravitational field on masses can be simulated in an indistinguishable way from those in reference to a suitably accelerated reference frame. In other words, by referring to a freely falling reference frame (e.g., an elevator), all effects of a homogeneous gravitational field can be eliminated, i.e., weightlessness prevails. So far, only the special case of homogeneous gravitational fields has been considered. In an inhomogeneous gravitational field with 57

Mainzer (2010, Chapter III.2).

Applications and Outlook of Temporal Logic

143

different gravitational effects, however, sufficiently small areas can always be considered, in which gravitational effects hardly change and whose effects can therefore be approximated by a homogeneous gravitational field. The equivalence principle therefore states that at least locally, i.e., in very small space-time sections in which the gravitational field does not change, an inertial system can be chosen, whereby the gravitational effect is canceled. Locally, therefore, the laws of special relativity apply without gravity. Einstein’s thought experiment is realized today by passengers in an airplane, who experience weightlessness during free fall in the Earth’s gravitational field (e.g., nosedive). Even with frequency measurements on light beams, an observer cannot distinguish between a constantly accelerated reference frame and a homogeneous gravitational field. Like a thrown stone, light loses its energy when it rises in the gravitational field against the effect of a gravitational attraction. Its frequency decreases, and its color shifts toward the red part of the spectrum, i.e., toward longer wavelengths. If a beam of light is sent from a wall to the opposite wall in a closed box at right angles to the direction of acceleration or gravitational effect, it is indistinguishably curved toward the ground in both cases. This is the case observed by Eddington in 1917 with the deflection of light rays in the gravitational field of the sun. According to the equivalence principle, there are again local effects of gravitational fields that are globally inhomogeneous. Freely falling bodies in inhomogeneous gravitational fields exhibit relative accelerations among themselves. In the absence of gravity, free point particles and light rays move with constant speed on straight lines, i.e., without relative acceleration among themselves. If a gravitational field is switched on, for example, by bringing a large mass into the vicinity, these paths are bent or exhibit relative accelerations. Gravitational effects thus correspond geometrically to orbital curvature. In this sense, an inhomogeneous gravitational field corresponds globally to a curved space-time. At first, this is reminiscent of a well-known case of the spherical geometry on the Earth’s sphere, as it is known in geodesy. The straightest paths on the curved surface of the Earth (e.g., the shortest connection between two places) are circular arcs. If one chooses arbitrarily small sections, one obtains approximate distances: An arc is mathematically composed of infinitesimally small straight

144

Temporal Logic: From Philosophy and Proof Theory

lines. However, the geometry of straight lines is Euclidean. Therefore, in Riemannian differential geometry of curved spaces (e.g., spherical geometry on the surface of a sphere), it is said that Euclidean geometry applies locally in infinitesimally small areas (i.e., approximately also in the environment of an inhabitant of the Earth). Similarly, Einstein’s equivalence principle of the general theory of relativity with curved space-time demands that the uncurved (flat) space-time of Minkowski geometry applies locally in infinitesimally small areas, i.e., the physical laws are locally Lorentz-invariant as in the special theory of relativity. In general, the physical laws are covariant, i.e., they retain their shape (shape invariance) in general (also curved) coordinate transformations. The local Lorentz invariance determines the time and causality relations in a general relativistic gravitational field: If a point (event) can be connected to another point (event) by a time-like curve, then a signal can be sent from this point to the other point but not vice versa. In fact, Einstein’s gravitational equation also allows for solutions in which time-like curves describe closed arcs. In such a world, the physical paradox of an astronaut traveling into his own past would occur. This case raises questions about relativistic cosmology. Empirical confirmation of Einstein’s gravitational equation was provided by light deflection, propagation delay, and perihelion rotation. For time logic, time dilation due to gravitation is of great interest. Clocks that are closer to the center of the earth and thus deeper in the Earth’s gravitational field run, albeit minimally, but measurably slower. This gravitational time dilation, according to general relativity, can be illustrated by a thought experiment with twins. A twin who has been exposed to strong gravitation on the surface of a very dense celestial body (e.g., neutron star) will be significantly younger than his twin brother when he returns to Earth. This gravitational effect on time must be distinguished from time dilation in special relativity, which depends on relativistic kinematic effects. Different developmental models of the universe can be derived on the basis of the general theory of relativity.58 The first empirical evidence for a temporal evolution of the universe goes back to

58

Weinberg (1972), Mainzer (2010, Chapter III.3).

Applications and Outlook of Temporal Logic

145

the astronomer Hubble. In 1929, he discovered that the speed of the galaxies’ escape motion increases with the distance between a galaxy cluster and its observer. This is how he interpreted the observation: The light of very distant galaxies shifts to the red region of the spectrum, i.e., to longer wavelengths. The basis of this explanation is the optical Doppler effect, according to which the wavelengths of light emitted by a moving light source appear longer to an observer at rest as the light source moves away and shorter as it approaches. The cosmological principle assumes that all points in space physically undergo the same evolution correlated in time so that all points at a fixed distance appear to an observer to be just at the same stage of evolution. In this sense, the spatial state of the universe must appear homogeneous and isotropic to the observer at all times in the future and past. The cosmological principle is based on the (simplified) assumption that matter is distributed uniformly (homogeneously) on average in the universe and that its properties remain the same, regardless of an observer’s viewing direction (isotropy). In fact, homogeneity and isotropy are statistically confirmed, at least approximately, by observing the distribution of stars from Earth. Assuming the cosmological principle, Einstein’s gravitational equation gives rise to Friedmann’s standard models of cosmic evolution. Mathematically, the three cases of positive, Euclidean (flat), and negative curvature can be distinguished for homogeneous and isotropic spaces. Flat curvature means no or zero curvature. Cosmic evolution in the three standard models is described by the development of the time-dependent “world radius” R(t) and an energy density function in a first-order differential equation that can be derived from Einstein’s gravitational equation. According to the singularity theorems of Penrose59 and Hawking60 (1970), it also follows from general relativity that the standard cosmic models must have an initial space-time singularity with infinite curvature. Cosmologically, it is interpreted as the “big bang” of the universe. After that, the universe initially expands very rapidly (inflationary universe), then slows down to the velocity of expansion which

59 60

Penrose (1965). Hawking and Penrose (1970).

146

Temporal Logic: From Philosophy and Proof Theory

has been observed by astronomers. In the standard model with positive curvature, the expansion reverses to a collapse, which represents a final singularity. One then speaks of a closed universe. Analogously, in the two-dimensional case, a spherical surface on a sphere with positive curvature is also “closed” and finite. For the other two standard models with flat and negative curvatures, the expansion continues indefinitely with greater or lesser speed. One then also speaks of open (potentially infinite) universes. In the two-dimensional case, the flat curvature corresponds to an unlimited Euclidean plane, while the negative curvature corresponds to an unlimited saddle-like surface. The singularity theorems also predict the possibility of very small regions of relativistic space-time, where space-time can become extremely curved and, therefore, gravity can become maximally large. Astrophysically, these singularities are interpreted as “black holes” preceded, for example, by the death of a large star through gravitational collapse. For this purpose, a three-dimensional spatiotemporal surface (“absolute event horizon”) is assumed, which “swallows up” all incoming signals from outside and does not allow any signals or particles to escape. In the center of this absolute event horizon, the spatio-temporal singularity is assumed, in which the curvature of space-time becomes infinite. It is therefore an absolute end point for causal time signals. A thought experiment with an astronaut approaching a black hole explains the consequences. If this astronaut passes the (relative) event horizon of the black hole and from then on sends a light signal at equal intervals according to his clock to a space station outside the event horizon, the light signals will be received there according to the space station’s clock at ever greater intervals and with a red shift to ever longer wavelength light until the astronaut’s time comes to a standstill as seen from outside, and the light signals can no longer be received because of infinite curvature and maximum gravity. Finally, other cosmological principles have been proposed. The partial cosmological principle, according to G¨ odel,61 is interesting for the discussion of time. According to this principle, the universe is only homogeneous but not isotropic. This solution also allows for Einstein’s gravitational equation. The cosmic space-time associated with it has

61

G¨ odel (1949).

Applications and Outlook of Temporal Logic

147

the possibility of closed, time-like world lines, which allow for highgrade science fiction situations. In G¨odelian space-time, an observer could embark on a journey into the past, only to encounter his or her own former self. However, the microwave background radiation as a relic from the primeval times of the universe empirically refutes this model since it is not only highly homogeneous but also isotropic. But if the cosmological principle is correct, then the question arises as to how the initial singularity of time and the high-degree symmetry of the universe with homogeneity and isotropy are to be explained physically. Obviously, the theory of relativity is no longer sufficient for this. Modern cosmology rather merges with quantum physics and elementary particle physics to form a research program in which the temporal evolution of the universe is to be explained. 4.2.5.

Temporal logics of general relativity

In the sixth task of his famous list of open mathematical problems (1900), Hilbert requests an axiomatization of physics. Historically, he suggested an axiomatization of general relativity in 1915, which was (according to Einstein’s critic) physically false. An axiomatization of special relativity can be introduced in first-order logic (FOL). This formal language distinguishes two sorts of objects: There is a sort Q of quantities (e.g., real numbers) with symbols + and ∗ for operations and < for a 2-ary predicate. The other sort B concerns physical “bodies” (e.g., masses, waves). There are special bodies, such as observers Ob and photons Ph (as elements of light), which are formally considered as 1-ary predicate symbols of sort B. An elementary proposition “observer o observes body b at space-time location p” has the predicative form W (o, b, p). A model of this language is defined by M := (Q, +, ∗,